SLED Opportunity · OHIO · CENTRAL OHIO TRANSIT AUTHORITY (COTA)
AI Summary
COTA seeks a consulting firm for strategic advisory services on public transit technology strategy, governance, and innovation. The one-year contract starting April 2026 focuses on benchmarking, recommendations, and executive advisory without implementation services.
The Central Ohio Transit Authority (COTA) is soliciting proposals from qualified consulting firms to provide independent, strategic advisory services to the Agency’s Technology Department for an initial one-year term beginning on or around April 1, 2026, with an option to renew for an additional year. The consultant will serve in a strictly advisory capacity, providing objective insights, benchmarking, and strategic guidance to inform technology leadership and executive decision-making. No implementation, operational execution, or project delivery services are included in this engagement.
The selected consultant will leverage deep experience in public transit and comparable asset-intensive, publicly funded, and safety-critical industries to assess COTA’s current technology practices, identify strengths and gaps, and recommend prioritized, actionable strategies. Areas of focus include technology governance, operating models, vendor and software management, data and analytics, cybersecurity, emerging transportation and digital technologies, and regulatory and policy considerations affecting technology in transit.
Services will include industry best-practice benchmarking, a high-level review of COTA’s current technology environment, strategic recommendations, and executive advisory and facilitation support. Deliverables will consist of concise written findings, benchmarking insights, prioritized recommendations, strategic options, and executive-level presentation materials tailored to the public transit context.
This engagement is intended to provide an informed external perspective and thought partnership to COTA Technology leadership, enabling informed decisions regarding technology strategy, governance, and future operating models, while maintaining a vendor-neutral and implementation-agnostic approach.
The Central Ohio Transit Authority (COTA) is the regional public transit provider for Central Ohio, delivering fixed-route, paratransit, and innovative mobility services to residents, employees, and visitors throughout the region. As a publicly funded, safety-critical organization, COTA relies on robust, secure, and forward-looking technology capabilities to support operations, customer experience, workforce productivity, and long-term strategic objectives.
Technology continues to play an increasingly critical role in public transit, with rapid advancements in data analytics, cybersecurity, cloud computing, artificial intelligence, connected and zero-emission vehicles, and digital customer engagement platforms. At the same time, public transit agencies face evolving regulatory requirements, funding constraints, and operational complexities that require thoughtful technology governance, strategic planning, and informed decision-making.
COTA’s Technology Department is responsible for enabling and supporting the Agency’s mission through enterprise applications, data and analytics, infrastructure, cybersecurity, and emerging technology initiatives. To ensure the Agency remains resilient, innovative, and aligned with industry best practices, COTA seeks an independent, vendor-neutral advisor to provide strategic insight, benchmarking, and guidance to Technology leadership and executive stakeholders.
This engagement is intended to provide an external perspective grounded in public transit and comparable asset-intensive, publicly funded industries, and to support COTA in identifying opportunities to enhance technology strategy, governance, operating models, and value delivery. The consultant will serve solely in an advisory capacity and will not be responsible for implementation or operational execution.
COTA will evaluate the qualifications of personnel proposed for this engagement based on their relevant experience, technical expertise, and demonstrated ability to perform the required services. Consideration will be given to the roles and responsibilities of key personnel, the relevance of their experience to the scope of work, professional credentials, and the adequacy of staffing levels. Proposals will also be assessed on the proposer’s ability to ensure continuity of personnel and provide qualified backups to support successful project delivery.
COTA will evaluate the proposer’s past experience based on the relevance, scope, and complexity of prior engagements with government organizations, transit agencies, and similar public-sector entities. Consideration will be given to demonstrated experience with projects of comparable size and complexity, familiarity with applicable regulations and funding requirements, successful project outcomes, and the proposer’s ability to apply lessons learned to COTA’s project. Proposals that clearly demonstrate relevant, recent, and verifiable experience will be rated more favorably.
COTA will evaluate the proposer’s approach to the design, development, and implementation of the proposed service based on the clarity, feasibility, and effectiveness of the methodology presented. Consideration will be given to the proposer’s understanding of COTA’s needs, the soundness of the proposed design, the appropriateness of development processes, and the ability to implement the service in a timely, coordinated, and controlled manner. Proposals will also be assessed on risk management, quality assurance, stakeholder coordination, and the proposer’s ability to deliver a functional, sustainable solution that meets COTA’s operational and performance requirements.
COTA will evaluate the proposer’s overall strategic approach and methodology based on the clarity, coherence, and alignment of the proposed strategy with COTA’s objectives and operational needs. Consideration will be given to the proposer’s understanding of the scope of services, the soundness and integration of the proposed methodology, and the ability to translate strategy into effective execution. Proposals will be assessed on innovation where appropriate, practicality, adaptability to changing conditions, and the extent to which the approach demonstrates a clear path to achieving successful and measurable outcomes for COTA.
COTA will evaluate the proposer’s understanding of COTA’s business plan and long-term vision based on how clearly and accurately the proposal reflects COTA’s strategic goals, operational priorities, and organizational context. Consideration will be given to the proposer’s ability to align the proposed services with COTA’s mission, strategic initiatives, and future direction, as well as to demonstrate how the engagement will support COTA’s short- and long-term objectives. Proposals that show a strong, thoughtful understanding of COTA’s vision and articulate meaningful alignment will be rated more favorably.
COTA will evaluate the proposer’s project management approach based on the clarity, completeness, and practicality of the methodology presented. Proposals will be assessed on how effectively the approach addresses resource allocation, risk identification and mitigation, schedule management, progress monitoring, issue resolution, and quality control. Emphasis will be placed on the proposer’s ability to demonstrate structured governance, realistic staffing plans, proactive risk management, clear communication protocols, and measurable controls to ensure timely, high-quality delivery of the engagement.
COTA will evaluate the proposer’s approach to cybersecurity and data protection based on the strength, completeness, and clarity of the controls described. Proposals will be assessed on how effectively the proposer safeguards COTA’s physical and digital assets, protects the confidentiality, integrity, and availability of data, and mitigates cybersecurity risks throughout the engagement. Consideration will be given to demonstrated security governance, data handling practices, access controls, incident response procedures, compliance with applicable standards and regulations, and the proposer’s ability to securely manage and protect information shared with COTA.
Cost proposals will be evaluated using a comparative scoring formula. The proposer submitting the lowest total cost will receive the maximum cost score. All other cost proposals will be scored proportionally using the following formula:
Lowest cost submitted ÷ proposer’s cost submitted × 5 = cost points awarded
Cost proposals must be complete and submitted in accordance with the RFP instructions. Only cost proposals deemed responsive and reasonable will be considered in the cost evaluation.
At COTA’s discretion, and if deemed necessary, selected proposers may be invited to participate in presentations or interviews as part of Phase 2 of the evaluation process. This phase is intended to provide proposers an opportunity to clarify and expand upon information contained in their written proposals and to demonstrate their understanding of the project, proposed approach, and team capabilities.
Presentations or interviews may include discussions of the proposer’s methodology, project management approach, key personnel, relevant experience, and implementation strategy, as well as responses to questions from the evaluation committee. Participation in Phase 2 does not guarantee award.
If Yes, identify each subcontractor and describe the scope of services to be performed, the subcontractor’s qualifications and experience, and the proposer’s approach to managing and overseeing subcontracted work.
Please download the below documents, complete, and upload.
Please Upload your TECHNICAL response, including any and all required forms listed in the solicitation and the corresponding attachments.
**Do not upload cost information in here. You will have another opportunity to upload cost in the subsequent section.
Please download the below documents, complete, and upload.
Please download the below documents, complete, and upload.
Please download the below documents, complete, and upload.
Please download the below documents, complete, and upload.
Please download the below documents, complete, and upload.
Vendors who select “Yes” to one or more of the questions in the Vendor Relationship Assessment section MUST complete the remaining questionnaire by selecting “Yes”", “No”, or “N/A" as applicable.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular
changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must maintain documented, up-to-date cybersecurity policies that address the protection, management, and oversight of sensitive information and systems.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors must ensure all customer data is protected using appropriate security controls, including encryption and access restrictions, to prevent unauthorized access or disclosure.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors are required to safeguard agency data in accordance with federal security standards, maintaining confidentiality, integrity, and availability at all times.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must comply with applicable laws and regulations on data privacy, implementing controls to ensure personal and sensitive information is collected, stored, and processed lawfully.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must apply robust security controls—such as data classification, encryption, strict access management, and regular audits—to protect sensitive and critical data from threats and unauthorized access.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors must have a documented and tested incident response plan, enabling the timely detection, reporting, and management of cybersecurity incidents involving agency data, and must notify the agency of any significant incidents in accordance with legal and contract requirements.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors are required to implement secure software development practices—including regular code reviews, vulnerability testing, and prompt remediation of known weaknesses—to ensure applications delivered to the agency are free from exploitable security flaws.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Vendors must enforce strong password policies, including requirements for password complexity, length, regular changes, and protection against password reuse, to reduce the risk of unauthorized access to agency systems and data.
Enter the name and title of the respondent’s authorized official that will be charged with signing the awarded contract.
Enter the number of years the Vendor’s firm has been in business.
Provide the Vendor’s gross annual receipts for the most recently completed fiscal year.
Please enter a CAGE Code if applicable.
CAGE stands for Commercial and Government Entity. A unique CAGE code is assigned to all businesses and individual's that complete the System for Award Management registration process. This "system" is a database that contains information about all active government contractors.
Enter the full name, title, and email address of the authorized company representative submitting the proposal on behalf of the Vendor.
By confirming, the Vendor agrees to Net 30 payment terms as set forth in the Terms and Conditions.
By certifying, the Bidder certifies that they are duly authorized to submit this proposal on behalf of the Vendor.
Q (Pricing Form): Is this an on-call, could you please provide guidance on how to estimate the Total Price given that this is an on-call? Additionally, the Total Pricing form says the unit of measure is "LOT" is this the same thing and "LUMP." I'm unfamiliar with the term "LOT" in this context.
A: Total price should be based on staffing hours to the Innovation and Technology department in the areas identified in the RFP. COTA will not request or ask the vendor to work on all items in parallel. The scope of the RFP does not include implementation, but it does include areas of interest that COTA is looking into. As an example, COTA conducted a peer assessment within the past 3 years; this may be just a refresh of that assessment, not a completely new assessment. COTA's expectation is that this engagement will be more focused on strategic consulting with a vendor that has experience within the Scope of Services. As an example, COTA anticipates weekly/bi-weekly meetings with the awardee to discuss the direction of COTA's Technology department. Awardee will provide their insight, review how the awardee can assist/provide guidance based on their previous transit experience. The topics in those discussions will cover areas outlined in the Scope of Work. COTA will then be responsible for executing that strategy.
Q (Systems mapping): Hello, I am interested in assisting with this project. I specialize in end to end systems mapping to optimize value added steps and minimize wasteful activities. Would this be something that can contribute to this project?
A: Thank you for your interest in this project. All firms interested in participating in this opportunity should review the RFP and submit a proposal through the formal procurement process if they believe their experience and qualifications align with the scope of work.
Q (No subject): The included scopes of work are too broad to obtain best-in-class expertise from a single firm. Will COTA consider making multiple awards to select best-in-class firms that bid only on subsets of categories, or is it a hard requirement that a single firm be awarded across all categories even if that means selecting weaker experience in some categories?
A: COTA will make a decision based on proposals submitted. COTA understands the scope is broad and is looking for an agency that has staffing to provide guidance on the broad range of services outlined in the RFP. COTA is looking to the awardee to validate and/or improve our direction on the broad range of topics areas, not develop the strategy.
Q (3.1.29 Liquidated Damages): Does 3.1.29 apply to professional service contracts, specifically this contract?
A: yes
Q (Cost Form): What does "LOT" mean on the cost form" Is is the same thing as "LUMP SUM"?
A: LOT = total
Q (Logistics ): 2. Logistics Will COTA be open to a Hybrid Engagement style for Senior Strategic Advisors , with Virtual work and as needed on- site meetings ( monthly, presentations )
A: Yes
Q (Current Technology Environment ): Does COTA. have on- premise or hybrid for Cloud ?
A: Hybrid depending on the application
Q (No subject): d. Is the Data Platform a centralized one ?
A: Yes
Q (No subject): Customer Does COTA have any innovative strategies for Customer Experience
A: Additional detail will be provided to awardee on specific COTA strategies outside of the scope of this engagement.
Q (Governance and Operating Model ): • How are technology investment decisions currently governed (e.g., IT steering committee, executive review board)?
A: Additional detail will be provided to awardee on specific COTA strategies outside of the scope of this engagement.
Q (Vendors): d. Vendors • How many major technology vendors and system integrators currently support COTA?
A: Additional detail will be provided to awardee on specific COTA strategies outside of the scope of this engagement.
Q (Advisory Model ): • Will the selected advisor interact primarily with: o CIO / Technology leadership o Executive leadership o Board committees?
A: Technology Leadership
Q (Benchmarking and Comparison ): • Which peer transit agencies does COTA consider relevant benchmarks ?
A: Additional detail will be provided to awardee.
Q (Benchmarking Scope ): b. Benchmarking Scope What areas should the benchmark focus on ? Customers , Transit services ?
A: Will be determined in conjunction with awardee.
Q (Performance Metrics ): • Does COTA currently track technology KPIs that the advisor should review?
A: Additional detail will be provided to awardee on specific COTA strategies outside of the scope of this engagement.
Q (Infrastructure ): c. Infrastructure • Will the advisor be expected to provide recommendations related to latest technologies tied to LinkUS expansion
A: Potentially if that impacts the overall strategic direction of the technology
Q (Strategic Planning Horizon): o Is COTA expecting the advisor to focus on: a 1–3 year tactical roadmap, or a 5–10 year technology strategy aligned with LinkUS expansion?
A: COTA is expecting a combinations. Short-term tactical plans that move to the longer term strategy for the department. This is not specifically aligned due to the LinkUS expansion.
Q (3. Current Technology Environment ): a. Enterprise Architecture o Does COTA currently maintain a formal enterprise architecture framework ?
A: Yes.
Q (Current Technology Environment ): b. Core Technology Platforms o Can COTA provide a high-level inventory of major enterprise systems, including: Transit operations systems Fare collection platforms CRM Enterprise ERP/finance systems
A: These will be provided during the next phase of the process.
Q (Emerging Technologies and Innovation ): 6. Emerging Technologies and Innovation a. Priority Innovation Areas • Which emerging technologies are highest priority for COTA evaluation?
A: Artificial intelligence
Q (Meeting Cadence ): 8. Deliverables and Engagement Structure a. Expected Deliverables • Can COTA confirm the expected deliverables for the engagement? Examples may include: • Technology strategy report • executive presentations
A: COTA can confirm that the examples deliverables in the SOW are what would be expected.
Q (Meeting Cadence ): b. Meeting Cadence • What cadence of interaction does COTA expect with the advisor? Examples: • monthly executive briefings • quarterly strategy reviews • ad hoc advisory consultations
A: Weekly and adhoc advisory consultations and update on status of deliverables.
Q (No subject): c. Workshop Facilitation • Will the advisor be expected to facilitate executive workshops or strategy sessions
A: Potentially, they will be required for strategy discussions/sessions.
Q (No subject): d. Stakeholder Access • Will the advisor have access to COTA leadership, operations teams, and external stakeholders during the engagement?
A: When appropriate, COTA cross functional teams will be available for engagement.
Q (Procurement and Contract Structure ): a. Will COTA. Be willing to look at hourly rates , as this will be an Advisory engagement for very senior Advisors . This is the typical Engagement model for Advisory services Some information can be provided on milestones and deliverables as related to the hourly rates Or DEC can provide a not-to-exceed quote based on hourly rates for the first year. Or COTA can set up the Advisory hours in numbers ? If you could share the method preferred by COTA, that will give vendors an opportunity to provide targeted Cost Bids
A: COTA would prefer a not-to-exceed based on hourly rates for the first year.
Q (Budget): b. Estimated Budget Range • Is COTA able to share a budget estimate for the engagement? • Has the budget already been approved by Board/Executive management for the project ?
A: COTA is estimating for the advisor services in the scope of work, this will be under $250k for a 1 year period.
Q (Proposal Evaluation ): c. Proposal Evaluation • Beyond the weighted scoring criteria, are there minimum experience thresholds expected for consulting firms?
A: Experience in the transit industry and associated technologies, working relationships with other transit agencies.
Q (SBE Preference): • Does COTA have a preference or preference points for small business , DBE or woman owned, minority owned business . If so what would be the preference points for each of these categories ?
A: No...COTA provides equal opportunity for all submissions.
Q (No subject): d. Multiple Advisors • Is COTA considering multiple advisory contracts, or a single advisor?
A: Depending on the responses, COTA may select multiple advisory contracts.
Q (No subject): 10. Data Access and Confidentiality a. Data Access • What types of documentation and system information will be available to the advisor? Examples: • architecture • contracts • budgets • policies
A: Advisor will have access to all the above listed documents within the question and others as applicable.
Q (No subject): b. Confidentiality Requirements • Will the selected advisor be required to comply with specific public-sector data governance or regulatory requirements?
A: Yes.
Q (No subject): Strategic Expansion Questions a. Long-Term Technology Strategy • Is COTA interested in developing a long-term enterprise technology roadmap aligned with the LinkUS expansion timeline?
A: Yes but again, LinkUS expansion is only a portion of the technology the department supports. LinkUS expansion is not the driver of this RFP.
Q (No subject): b. Transformation • Should the advisor provide guidance on any transformation within the Technology Department?
A: Advisor will provide guidance and recommendations for the Innovation and IT leadership team to consider moving forward.
Q (No subject): c. Future Advisory Extensions • Would COTA consider extending the engagement scope to periodic strategic advisory services beyond the initial year
A: Scope of the engagement is 1 year. Any work beyond that time period will be competitively bid out.
Q (No subject): What are the drivers behind re-issuing this RFP?
A: COTA had not addressed all the open questions in a timely manner for all the submitters. The re-issue included more specific scope of work expectations.
Q (No subject): Would COTA accept Cyber Insurance in the amount of $150,000. We have found this level of coverage to be acceptable for projects of similar scope.
A: TBD
Q (No subject): Please confirm that non-US based corporations are eligible to bid on this RFP.
A: COTA has strong preference that firm be US based.
Q (No subject): What is the budget for this work?
A: COTA is estimating for the advisor services in the scope of work, this will be under $250k for a 1 year period.
Q (Proposal Validity): How long should proposals be valid for? 1.2.11 says "No Value"
A: 90 days
Q (Page Limits): Are the title page and/or transmittal letter included in the 20 page maximum?
A: Please read the proposal submission requirement section, as it spells out what is not included in the page maximum
Q (Pricing Form): The number of hours required will vary significantly based on COTA's requests as part of this contract. Can COTA provide a specific, sample project to price against to allow for better comparisons between proposers? Or alternatively, can COTA amend the pricing form to exclude a quantity of hours and instead just conduct a comparison of rates?
A: COTA would recommend basing pricing on various roles and their associated rates over time. For example, cybersecurity may run for a duration of 2 months of the year, and an advisor would align a security expert at a rate of $100/hr for 80 total hours during those 2 months. Overall, COTA would expect the total hours to equal the total number of FTE hours over a year. Those hours can be allocated to various resources within the advisor's firm dependent on the deliverables currently being worked on.
Q (Pricing Form): Form each Line Item 1-4 in the Pricing Form in Section 5.2, does COTA intend that proposers should provide the Firm Fixed Price for a single effort? E.g. COTA may request Line Item 1. Research, comparative analysis, and benchmarking against peer agencies and comparable industries on more than one topic over the course of the contract. Should we fill in 5.2 with our FFP for providing these services for a single topic? Similarly, Line Item 4. would include the FFP for a single trip and that would be the FFP for each trip required by the project?
A: COTA would recommend basing pricing on various roles and their associated rates over time. For example, cybersecurity may run for a duration of 2 months of the year, and an advisor would align a security expert at a rate of $100/hr for 80 total hours during those 2 months. Overall, COTA would expect the total hours to equal the total number of FTE hours over a year. Those hours can be allocated to various resources within the advisor's firm dependent on the deliverables currently being worked on.
Q (stakeholder groups): Beyond Technology leadership, which stakeholder groups does COTA currently anticipate involving in interviews or workshops—for example Operations, Finance, Procurement, Legal, Safety, Security, Planning, or executive leadership?
A: Depending on the activity, all or some of the above stakeholders will be engaged.
Q (expected on-site vs remote mix): The engagement is described as hybrid at COTA locations in Columbus. Can COTA clarify the expected on-site versus remote mix, including whether there are anticipated minimum on-site days, milestone workshops, or executive sessions that must be conducted in person?
A: COTA will want to develop a good working relationship with the awardee. This will require some on-site, face-to-face activities. A specific number has not been identified.
Q (pricing): The RFP indicates a fixed-price engagement, but the pricing schedule requests both hourly rates and fixed-fee pricing by lot, while the cost instructions also reference more detailed cost/profit structures. Can COTA confirm the intended commercial structure and which pricing basis will govern evaluation and contract formation?
A: Base the price on a not-to-exceed from an hourly rate calculation.
Q (extension possibility): Can COTA confirm the governing contract term and whether any renewal or extension option exists? This is important because the RFP materials appear to contain inconsistent signals regarding term structure.
A: the term of the contract is in the SOW
Q (Advisory Vs Implementation): The RFP states that the selected consultant will serve only in an advisory and consultative capacity and that implementation, project delivery, and operational execution are out of scope. How should proposers interpret any references elsewhere in the RFP that may imply implementation-oriented expectations?
A: Implementation will be COTA responsibility.
Q (Cost Proposal Questions): 1) Are we supposed to only show pricing for the labor descriptions provided or can we show more categories? 2) Are the hourly rates meant to be a breakdown of totals that make up the fixed fee pricing or are they just rates for work that may go beyond the base scope and therefore have no quantity or total, just a unit cost?
A: 1 - You can show more categories, descriptions in RFP are examples. 2 - They make up the fixed fee pricing.
Q (Technical Proposal Questions/Requests): 1) Would COTA consider sharing their budget for the entire engagement? 2) Would COTA consider allowing consultants to include a table of contents in our response, non-inclusive of the overall page limit?
A: 1) we are not sharing this information 2) this is up to the proposer, as our requirements are clear in the proposal submission requirements
Q (Proposal Requirements): Will COTA please confirm whether the 20-page limit is inclusive of a title plage, transmittal letter, table of contents, and / or section divider pages?
A: The proposal requirements are clear on what is included in the page limit
Q (Scope of Services): Will COTA please confirm whether this is an on-call contract? (We recognize that some of the items in the Scope of Services are specific, which indicate that this is NOT an on-call contract; but some of the wording in the Scope of Services [e.g., "Areas of focus may include, but are not limited to"] is written with uncertainty, which indicates that this is an on-call contract.)
A: "On-call" is defined in this effort as: the ability for COTA to have an advisor that if questions come up where assistance is needed, COTA can reach out to advisor outside of regularly scheduled meetings.
Q (Scope of Services): If this is NOT an on-call contract, will COTA please provide more specifics about the scope? (For example, can COTA confirm exactly how many benchmarking studies they want done, and on which topics? We recognize that COTA has provided six benchmarking areas in the Scope of Services, but the language used ["Areas of focus may include but are not limited to"] indicates uncertainty.)
A: COTA would expect advisor familiar with the transit industry to have completed benchmarking for other transit agencies to help define the scope to include and beyond the six areas identified. The "but are not limited to" indicates COTA wants to collaborate with advisor to ensure a successful scope is identified.
Q (Pricing Proposal): Is this IS an on-call contract, how would COTA like vendors to submit fixed prices?
A: See answer #51
Q (No subject): 1. Strategic Objectives and Scope Clarification a. Strategic Priorities o What are the top 3–5 strategic outcomes COTA expects from this advisory engagement during the first year?
A: Stronger Innovation and Technology department to support COTA, our riders and our community.
Q (No subject): 1. Strategic Objectives and Scope Clarification a. Strategic Priorities o What are COTA'S top strategic outcomes for this project ?
A: Stronger Innovation and Technology department to support COTA, our riders and our community.
Q (No subject): d. Advisory Depth o Should the advisor deliver high-level strategic guidance only, or is light-weight focused on some architecture analysis and scenario modeling expected?
A: High-Level
SLED stands for State, Local, and Education. These are solicitations issued by state governments, counties, cities, school districts, utilities, and higher education institutions — as opposed to federal agencies.
SamSearch Platform
AI-powered intelligence for the right opportunities, the right leads, and the right time.