RFP026-50 Cybersecurity Services

Q (Which SIEM solution(s) is your organization currently using?): Google Chronicle / SecOps (Self Managed) Google Chronicle / SecOps (Partner Managed) Microsoft Sentinel Palo Alto Cortex XSIAM Splunk Other (Please name):

A: For security reasons, specific platform details and configurations will be shared with the selected vendor under a Non-Disclosure Agreement (NDA). The City is open to vendor recommendations, including augmentation or replacement options.

Q (Which SOAR solution(s) is your organization currently using?): Google SecOps (Self Managed) Google SecOps (Partner Managed) Microsoft Sentinel SOAR Palo Alto Cortex XSOAR Splunk Phantom SOAR Other (please name):

A: The City currently has limited SOAR capabilities. Expanding automation and orchestration is a key objective of this engagement. Vendors are encouraged to propose integrated SOAR capabilities aligned with their Managed Detection & Response (MDR) solution.

Q ( Please provide your current annual security telemetry data ingestion volume in TB:): (If you are not sure, or don't currently ingest logs, we will estimate based on technology scope)

A: The City does not currently maintain a precise baseline of telemetry ingestion volumes. Vendors should estimate based on a mid-sized municipality (approximately 60,000 population) and propose scalable ingestion models.

Q (What is your current EDR technology?): CrowdStrike Falcon Microsoft Defender for Endpoint SentinelOne EDR Other (Please name):

A: The City utilizes an endpoint protection platform. Specific vendor details will be shared with the selected provider under NDA. The City is open to evaluating alternative or consolidated solutions.

Q (What is your current Firewall technology?): Cisco ASA Fortinet FortiGate Palo Alto Networks Other (Please name):

A: The City maintains enterprise-grade firewall infrastructure across multiple locations. Detailed vendor and configuration information will be shared under NDA.

Q (What is your current Email Security technology?): Google Workspace Microsoft Office 365 Proofpoint Other (Please name):

A: The City utilizes a cloud-based email platform with integrated security controls. Vendors may propose enhanced email security and phishing protection capabilities.

Q (What is your current Identity & SSO technology?): Google Cloud Identity/Workspace Microsoft Active Directory Microsoft Entra ID Okta Ping Other (Please name):

A: The City utilizes centralized identity management with Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Vendors must support integration with leading identity platforms and recommend best practices.

Q (Other Data Sources): Please list other data sources such as DHCP, DNS, Network Traffic Analysis, WAF, IDS/IPS, Web Proxy, VPN, DLP, Operating Systems, SaaS platforms, custom apps, and other technologies that would be important to your security telemetry:

A: The City operates a variety of standard municipal systems, including but not limited to identity services, DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), network infrastructure devices, cloud and SaaS applications, operating systems, and public safety systems. A detailed inventory will be provided during onboarding under NDA.

Q (No subject): Questions: • Does the City have an existing SIEM now. • How many Servers does the City have (please provide # of Virtual & # of Physical)? • What are your primary goals for implementing MDR? • What are your key security concerns or threats your currently facing? • What compliance or regulatory frameworks do you need to meet? • What is your current security stack (EDR,SIEM,XDR/MDR, mES, Firewalls, etc) • Do you currently have an internal SOC or security team? What are their responsibilities? • Do you require coverage for Cloud workloads or SaaS platforms? • Are there any specific SIEM, SOAR, or IAM tools that the MDR must integrate with? • What is the expected telemetry data retention period? • Do you require Multi-Tenancy or role-based access controls in the platform? • Do you have an MDR security tool now? • What is your XDR platform now? • What data sources does the XDR support natively (e.g., EDR, NDR, cloud, email, identity)? • How many users are covered by your MDR platform? • How many servers are covered by your MDR platform? • Who manages your MDR platform? • Does your MDR provide Network Traffic Analysis (east-west)? • How many Internet access locations do you have? • What are the bandwidth speeds at your Internet Access Locations? • What EDR tool are you using? • How many devices are being covered? • How many end points (and what OS types) needs to be covered?

A: The City maintains a hybrid IT environment consisting of on-premise and cloud-based systems. Primary goals for MDR include 24/7/365 monitoring, rapid threat detection and response, improved visibility, and strengthening the City’s cybersecurity posture following a recent incident. Key security concerns include ransomware, phishing, credential compromise, and protection of critical municipal systems. The City aligns with applicable public-sector cybersecurity standards, including CJIS (Criminal Justice Information Services) where applicable, and NIST (National Institute of Standards and Technology) guidance. The City has limited internal security resources and seeks a vendor to augment or provide SOC (Security Operations Center) capabilities. Detailed information regarding servers, tools, asset counts, and internal operations will be shared with the selected vendor under NDA.

Q (No subject): What is the approximate number of endpoints (desktops/laptops) to be included in the scope of monitoring?

A: For security reasons, detailed endpoint counts will be shared with the selected vendor under NDA. Vendors should propose scalable solutions appropriate for a mid-sized municipality.

Q (No subject): What is the approximate number of servers (physical and virtual) within the City’s environment?

A: Detailed server counts will be provided to the selected vendor under NDA. Vendors should propose scalable solutions.

Q (No subject): How many users/accounts are currently managed (e.g., Active Directory and/or Microsoft 365)?

A: Detailed user and account counts will be shared with the selected vendor under NDA.

Q (No subject): How many total assets are in scope at contract start, broken out by: * servers * endpoints * network devices * firewalls * VPN appliances * identity systems * cloud workloads / SaaS platforms

A: A detailed asset inventory will be provided to the selected vendor under NDA. Vendors should propose scalable pricing models.

Q (No subject): 2. Which specific platforms are in use today for: * endpoint protection / EDR * SIEM / log management * firewalls * identity and MFA * email security * cloud infrastructure * backup / recovery

A: The City utilizes industry-standard technologies across endpoint protection, identity, firewalls, email, cloud infrastructure, and backup systems. Specific platform details will be shared under NDA.

Q (No subject): 3. What cloud environments are in scope, and at what scale? * Microsoft 365 * Azure * AWS * Google Cloud * other SaaS applications

A: The City utilizes cloud and SaaS platforms typical of a mid-sized municipality. Specific platforms and scale will be shared under NDA.

Q (No subject): 4. Are public safety, police, fire, 911, OT/ICS, or other critical municipal systems included in scope?

A: Yes, critical municipal and public safety systems are included in scope. Additional details will be provided under NDA.

Q (No subject): Are any third-party managed environments, subsidiaries, boards, or agencies included?

A: Certain third-party or affiliated environments may be included. Details will be shared under NDA.

Q (No subject): 6. What is the expected growth in asset count over the 1-, 3-, and 5-year pricing periods requested in the RFP?

A: The City anticipates minimal growth (approximately 1–2% annually). Vendors should provide scalable pricing models.

Q (No subject): Does the City expect **full 24/7/365 active monitoring and response**, or monitoring with after-hours notification only? The RFP asks for continuous monitoring, but the expected operating model is not fully defined.

A: Yes, the City requires full 24/7/365 monitoring and response capabilities.

Q (No subject): 8. What log sources must be onboarded on day one versus later phases?

A: Vendors should propose a phased onboarding approach.

Q (No subject): Are there minimum use cases, detection rules, or compliance reporting requirements the City expects at launch?

A: Vendors should propose recommended detection use cases aligned with industry standards and municipal risk profiles.

Q (No subject): What are the required service levels for: * alert triage * escalation * incident notification * investigation start time * reporting turnaround

A: Vendors should propose SLAs aligned with industry standards, including alert triage, escalation, incident notification, and response timelines.

Q (No subject): Does the City require the vendor to perform active containment actions, or only provide recommendations and guidance? ### 3) Incident response and responsibility model

A: The City prefers a collaborative model where vendors recommend actions. Containment actions require City approval unless pre-authorized during onboarding.

Q (No subject): In the event of an incident, what actions is the vendor authorized to take without prior approval? * isolate endpoint * disable account * block IP/domain * modify firewall rules * disable mailbox access

A: Specific pre-authorized actions may be defined during onboarding. Otherwise, vendor actions require City approval.

Q (No subject): Does the City want retainer-based incident response included in base pricing, or quoted separately as optional services?

A: Vendors should provide incident response services as optional pricing.

Q (No subject): Forensic analysis is mentioned “when required.” Should digital forensics be included in core pricing, capped, or priced separately?

A: Digital forensics should be offered as an optional service.

Q (No subject): Who within the City will serve as the incident commander / technical point of contact during an event?

A: The City will designate an incident response lead during onboarding.

Q (No subject): Is the City expecting tabletop exercises, incident response playbooks, or post-incident reviews as part of the base service?

A: Vendors can include optional incident response playbooks, tabletop exercises.

Q (No subject): Does the City want the vendor to use the City’s existing tools, propose a fully managed toolset, or provide either option?

A: The City is open to vendor recommendations, including use of existing tools, new platforms, or hybrid approaches.

Q (No subject): If new tooling is required, should software licensing be: * included in vendor pricing * shown as pass-through cost * shown as optional / separate line items

A: Vendors should clearly define licensing models, including bundled, pass-through (where software costs are itemized and billed at or near cost), or optional pricing. The City prefers transparency in licensing costs and the flexibility to leverage existing investments where feasible.

Q (No subject): Are there any required integrations with ticketing, email, identity, firewall, cloud, or municipal systems?

A: Vendors should support integration with common municipal systems. Specific requirements will be shared under NDA.

Q (No subject): Are there data residency, CJIS, criminal justice, or other public-sector data handling requirements that affect tooling or staffing?

A: Yes, applicable public-sector and CJIS requirements must be supported.

Q (No subject): Does the City require tenant ownership of the SIEM / EDR platform at contract end?

A: The City prefers to retain ownership of its data and configurations where feasible.

Q (No subject): What level of onboarding is expected in implementation pricing: * discovery workshops * asset inventory validation * connector deployment * log onboarding * use-case tuning * runbook creation * knowledge transfer

A: Vendors should include full onboarding services including discovery, deployment, tuning, and knowledge transfer.

Q (No subject): Is there a target go-live date beyond the proposal schedule?

A: The City will coordinate timelines with the selected vendor during project planning.

Q (No subject): Will the City provide internal technical resources during onboarding, and at what availability?

A: Yes, limited internal resources will be available during onboarding.

Q (No subject): Are there any union, change-control, maintenance-window, or approval constraints that could affect deployment effort?

A: Standard municipal change control and maintenance windows apply.

Q (No subject): What reporting cadence and format does the City expect beyond the monthly security reports listed in the RFP?

A: At minimum, monthly reporting is required.

Q (No subject): Does the City require executive reporting, board-ready reporting, or KPI/SLA dashboards?

A: Yes, executive-level and Key Performance Indicator/Service Level Agreement reporting is expected.

Q (No subject): How often does the City expect advisory meetings, posture reviews, and roadmap recommendations?

A: Quarterly reviews are expected at minimum. Provide pricing for recommended options.

Q (No subject): Is vulnerability management advisory expected, or only threat monitoring and response?

A: Advisory services are expected; full services are be proposed as optional line items.

Q (No subject): Are there any requirements for U.S.-based analysts, SOC location, or onshore-only support? The RFP asks vendors to identify SOC locations and staffing, but does not define delivery constraints.

A: Preference is for U.S.-based SOC resources. Must be CJIS/HIPAA compliant.

Q (No subject): Is onsite presence required for kickoff, quarterly reviews, incident response, or major events?

A: Onsite presence may be required for key activities.

Q (No subject): Are named key personnel required for the duration of the engagement?

A: Vendors should identify key personnel in their proposals.

Q (No subject): Are there background check, fingerprinting, or municipal access requirements for assigned personnel?

A: Yes, background checks and municipal access requirements may apply.

Q (No subject): What pricing format does the City prefer for ongoing monitoring: * per endpoint * per log source * per GB/day ingestion * tiered fixed fee * annual managed service fee

A: Flexible pricing models should be provided.

Q (No subject): Should 1-, 3-, and 5-year pricing assume fixed scope, or may pricing reflect projected growth and inflation? The RFP asks for those terms but does not define assumptions.

A: Yes, vendors may include growth assumptions.

Q (No subject): Should implementation be priced as one-time fixed fee, T&M not-to-exceed, or milestone-based?

A: Vendors may propose per unit, fixed fee.

Q (No subject): Which services should be treated as “optional services” for separate pricing? * incident response retainer * threat hunting * vulnerability management * phishing / awareness * policy development * tabletop exercises * security architecture review * backup/recovery advisory

A: All listed services should be priced as optional.

Q (No subject): Are travel expenses expected to be included or billed separately?

A: Travel should be clearly identified and preferably included or capped.

Q (No subject): Since the RFP states the agreement will be via purchase order and “NO VALUE,” can the City clarify the intended contracting and spend authorization structure?

A: The City will issue purchase orders under an agreed contract framework.

Q (No subject): Can the City share the sample agreement attachment and identify any non-negotiable legal or insurance terms that could affect pricing? The RFP references a sample agreement attachment and insurance requirements.

A: The Sample Agreement is an Attachment - I just posted it as a "Notice" for everyone's viewing pleasure.

Q (No subject): Since pricing is only 30% of the score, can the City clarify what differentiators matter most within: * qualifications and experience * key personnel * references * pricing?

A: 1 Pricing 2 Qualifications/Experience 3 References 4 Key Personnel

Q (No subject): Does the City prefer vendors with direct municipal SOC experience, or will broader state/local government and regulated-sector experience be considered equivalent? The RFP says government or municipal references are preferred.

A: Municipal or equivalent public-sector experience is preferred.

Q (No subject): Are there incumbent providers today, and if so, what services/tools are currently in place that the City expects to retain?

A: The City utilizes a mix of internal and external resources. Additional details will not be disclosed.

Q (No subject): Can you please provide the total number of assets for the categories below? • Servers • Endpoints • Network devices • Identity systems • Cloud services • Firewalls • VPN systems

A: Detailed asset inventories will be shared under NDA.

Q (VPN): What VPN technologies are in use?

A: The City utilizes industry-standard VPN technologies. Specific details will be shared under NDA.

Q (Log Retention): What length of log retention does the city require, 90 days, 6 months, 1 year, etc.)

A: Vendors should propose options ranging from 90 days to 1 year.

Q (MFA): 3. What MFA provider services does the city utilize? (i.e. Duo, Okta, etc...)

A: The City utilizes MFA as part of its identity strategy. Specific provider details will be shared under NDA.

Q (Cloud Platform & user count): 2. What cloud platforms does the city utilize (i.e. M365, GWS, AWS, Azure, GCP, etc.) a. How many licensed users exist in each cloud platform?

A: The City utilizes cloud platforms typical of a mid-sized municipality. Detailed platform and user counts will be shared under NDA.

Q (Core Backbone seed): 1.What is the city's core network backbone speed (i.e. 1gb copper, 10gb fiber (SFP+)

A: The City maintains modern network infrastructure appropriate for municipal operations. Detailed specifications will be shared under NDA.

Q (Clarification Regarding Subcontractor Past Performance): Could you please confirm whether past performance references from subcontractors are acceptable as part of the proposal submission for this opportunity?

A: Yes, it is acceptable

Q (Questions from XTGlobal): 1. Technical & Scope Clarification 1.1 SOC & Monitoring • What is the total number of endpoints, servers, and network devices to be monitored? • What is the estimated log volume (GB/day) for SIEM ingestion? • Are there any existing security tools (SIEM, EDR, firewalls, etc.) in place? If yes, please specify. • Should the vendor provide a complete SOC platform or integrate with existing tools? 1.2 Infrastructure Details • Can you provide details of the current IT environment (cloud providers, OS types, firewall vendors)? • What is the approximate split between cloud and on-premise environments? • Are there any legacy systems that require special monitoring considerations? 1.3 Integration Requirements • Which systems are required to be integrated (e.g., Active Directory, O365, Azure, AWS)? • Will APIs or access credentials be provided for integration? 1.4 Incident Response • What are the expected SLAs for incident detection and response? • Is the vendor expected to perform active remediation or provide recommendations only? • Who holds final authority during incident response (vendor vs. City IT team)? 1.5 Threat Intelligence • Does the City currently subscribe to any threat intelligence feeds, or should the vendor provide them? 2. Operational & Delivery 2.1 Coverage Model • Is a fully staffed 24/7 SOC required, or can after-hours support be partially automated? • Is fully remote SOC support acceptable, or is on-site presence required? 2.2 Reporting & Performance • Can you share sample report formats (monthly and incident reports)? • What key performance indicators (KPIs) are expected (e.g., MTTD, MTTR)? 2.3 Communication & Ticketing • What are the escalation procedures and communication channels (email, phone, ticketing system)? • Is there an existing ticketing system to integrate with? 2.4 Onboarding & Transition • What is the expected onboarding timeline? • Will the City provide documentation such as network diagrams, asset inventory, and security policies? 3. Compliance & Security • Are there any regulatory or compliance requirements (e.g., CJIS, HIPAA)? • Are there any data residency constraints (e.g., data must remain within the USA)? • What are the log retention requirements? 4. Commercial & Pricing • Should pricing include tools and licenses, or will they be provided by the City? • What is the preferred pricing model (fixed monthly, per-device, or per-log volume)? • Are there any budget constraints or expected pricing range?

A: Responses to these topics are addressed throughout this document. Vendors should propose best-practice solutions, scalable architectures, and flexible pricing models aligned with municipal requirements. Detailed technical information will be shared with the selected vendor under NDA.

Q (No subject): What is the desired retention period for SIEM data?

A: Vendors should propose retention options aligned with best practices, compliance requirements, and cost considerations, typically ranging from 90 days to 1 year or longer.

Q (No subject): Will there be a need to transfer existing SIEM data (if any) into the proposed SIEM?

A: Data migration requirements will be evaluated during implementation. Vendors should provide optional pricing for migration services if required.

Q (References): The RFP requests three references, preferably from government or public sector clients. Will the City consider international municipal or other government/public sector references, provided they are relevant in scope and demonstrate comparable cybersecurity services experience?

A: Yes, provided they demonstrate relevant scope, scale, and comparable cybersecurity services experience.

Q (No subject): What is current ingestion rate (GBs/Day) or Events Per Second (EPS) if known?

A: For security reasons, detailed ingestion metrics will not be publicly disclosed. Vendors should estimate based on a mid-sized municipality. Specific data will be shared under NDA.

Q (contract term): Can the City confirm the intended initial contract term, and whether it anticipates a 1-year base with renewal options or a multi-year award at the outset?

A: The City anticipates a multi-year engagement. Vendors should provide pricing for 1, 3, and 5-year terms as outlined in the RFP. Final structure will be determined during contract award.

Q (reference the types of assets, but not quantities): Can the City provide an estimated count of endpoints, servers, network devices, and users to be covered under this engagement?

A: For security reasons, detailed asset counts will not be publicly disclosed. Vendors should propose scalable solutions appropriate for a mid-sized municipality. Details will be shared under NDA.

Q (No subject): Does the City require full incident response execution (includes response and remediation), or working with internal IT staff on incident remediation

A: The City prefers a collaborative model where the vendor works with internal IT staff. Vendors may recommend actions, with containment and remediation subject to City approval unless pre-authorized.

Q (No subject): Are there specific compliance frameworks the City is aligning to such as NIST CSF, CJIS, or others?

A: Yes, the City aligns with applicable public-sector standards, including NIST (National Institute of Standards and Technology) and CJIS (Criminal Justice Information Services) where applicable.

Q (No subject): What is the desired timeline for onboarding and full operational readiness?

A: Vendors should propose an onboarding timeline. The City prefers a rapid but controlled deployment with full operational readiness achieved as efficiently as possible.

Q (No subject): Will there be a transition period from an existing provider, and if so, what support will be available?

A: A transition period may be required. The City will coordinate with the selected vendor to ensure continuity of services.

Q (No subject): Should vendors include optional services such as vulnerability management, penetration testing, or security awareness training as part of the proposal or as add alternates?

A: Yes, vendors should include these as optional

Q (No subject): Does the City have any operational technology (OT) or industrial control systems (ICS) — such as water treatment, traffic systems, or utilities — that fall within or adjacent to the monitoring scope?

A: The City operates critical infrastructure systems typical of municipal environments. Specific details will be shared under NDA. Vendors should be capable of supporting such systems where applicable.

Q (No subject): Are there any air-gapped or isolated networks that the vendor will need to account for but cannot directly monitor?

A: Certain systems may have restricted connectivity. Details will be shared under NDA. Vendors should propose solutions that accommodate such environments.

Q (No subject): How many physical City locations/buildings require coverage, and are there remote or satellite offices included in scope?

A: The City operates across multiple facilities. Detailed location information will be provided under NDA

Q (No subject): In the event of an active ransomware attack outside business hours, what is the City's expected response time for an authorized decision-maker to be reached for approval of containment actions?

A: The City will establish escalation procedures during onboarding, including after-hours contact protocols and response expectations.

Q (No subject): Is there a current cybersecurity or SOC monitoring vendor in place? If so, when does that contract expire, and will there be a parallel running period?

A: The City currently utilizes a mix of internal and external resources. Additional details will not be disclosed.

Q (No subject): Does the City have cyber liability insurance, and if so, does that policy require incident response to be handled by a specific vendor or panel firm?

A: The City maintains appropriate risk management practices. Specific insurance-related requirements will be addressed during contracting.

Q (No subject): Are there any existing vendor contracts (SIEM licensing, EDR, etc.) the City intends to keep regardless of who wins this RFP?

A: The City may retain certain technologies or services. Vendors should be flexible and capable of integrating with existing solutions.

Q (No subject): Will the selected vendor require a City-issued email address or network credentials, and if so, what is the provisioning timeline typically?

A: Yes, as required. Access will be provisioned in accordance with City security policies during onboarding.

Q (No subject): Beyond background checks, does the City require any specific municipal access agreements, NDAs, or data handling agreements to be executed before work begins?

A: Yes, vendors will be required to execute Non-Disclosure Agreements (NDAs) and comply with City security and data handling policies.

Q (No subject): Who is the primary internal stakeholder the vendor reports to — IT Director, CISO, City Administrator — and will there be a formal steering committee or governance structure?

A: The vendor will report to the City’s IT leadership. Governance structure and escalation paths will be defined during onboarding.

Q (No subject): The RFP requests 1, 3, and 5-year pricing — should each be priced as a standalone term, or as a base year with renewal options?

A: Vendors should provide pricing for each term and clearly state assumptions.

Q (No subject): The RFP states the agreement will be via Purchase Order with "NO VALUE" — can the City clarify whether annual budget appropriation is required each fiscal year, and what happens to the contract if appropriation is not approved?

A: Contracts are subject to municipal budgeting and annual appropriation processes. Additional details will be addressed during contracting.

Q (No subject): Does the City anticipate any significant infrastructure changes (cloud migration, new systems, mergers of departments) during the contract period that would materially affect monitoring scope and pricing?

A: The City continuously evaluates technology improvements. Vendors should propose scalable solutions capable of accommodating change.

Q (Who is currently performing the services): Is there an incumbent currently delivering these services, or is this a new engagement?

A: The City currently utilizes a combination of internal and external resources. Additional details will not be disclosed.

Q (Remediation and recovery): Is remediation and recovery expected to be performed by the vendor, or will it be handled internally?

A: The City prefers a collaborative approach. Vendors may assist with or perform remediation as agreed, with oversight and coordination from City IT staff.

Q (On-Site Work): Is there any on-site work expected for the duration of the contract?

A: On-site support may be required as needed. Vendors should indicate their capability to provide on-site and remote services.

Q (Network size for correct price calculation): Can you provide a description of your current network (number of workstations, endpoints, servers, network devices, firewalls, subnets, IPs, wireless access points, cloud components, firewall traffic (GB per month) etc.)?

A: For security reasons, detailed network architecture and metrics will not be publicly disclosed. Relevant information will be shared under NDA.

Q (Current Number of Alerts): What is the average number of alerts generated monthly by your existing security tools?

A: Detailed alert metrics will not be publicly disclosed. Vendors should propose solutions based on typical municipal environments.

Q (Offshore SOC resources): Are offshore resources permitted for monitoring or penetration testing, assuming no data leaves your environment?

A: Preference is for U.S.-based resources, particularly where sensitive or regulated data is involved.

Q (SIEM): Would you consider replacing the current SIEM if an equivalent is included in the proposal?

A: Yes, the City is open to vendor recommendations, including replacement, provided the proposed solution meets or exceeds current capabilities.

Q (The RFP includes cloud services in scope but does not define platforms, coverage depth, or response expectations, which directly impacts pricing, tooling, and delivery model): Are cloud environments (such as Microsoft 365, Azure, AWS, or GCP) in scope for monitoring and response? If so, at what level of depth?

A: Yes, cloud and SaaS environments are in scope. Vendors should propose appropriate monitoring and response coverage aligned with best practices. Details will be shared under NDA.

Q (No subject): Are there any existing security tools or platforms currently in place that the selected vendor will be required to integrate with or replace?

A: The City utilizes existing tools. Vendors should support integration and/or propose alternatives. Details will be shared under NDA.

Q (No subject): What are the City’s expectations for response times, escalation procedures, and SLAs for critical incidents?

A: Vendors should propose SLAs aligned with industry standards, including response times, escalation procedures, and incident handling. Final SLAs will be negotiated with the selected vendor.

Q (No subject): Does the City Council or any oversight body require cybersecurity reporting, and if so, at what frequency and in what format?

A: Reporting will be directly to the technology department. Frequency and format will be defined during onboarding.

Q (Project Initiation Status (New vs. Existing Engagement)): Could the City please confirm whether this is a new initiative or an existing engagement?

A: This engagement represents an evolution of the City’s cybersecurity capabilities and may include both new services and transition from existing resources.

Q (Award Structure (Single vs. Multiple Vendors)): Could the City please clarify whether it intends to award this RFP to a single vendor or multiple vendors? If multiple awards are anticipated, could the City specify the expected number of vendors to be selected?

A: The City reserves the right to award to one or more vendors, based on what is determined to be in the City’s best interest.

Q (Total Assets/Devices in Scope for Monitoring): What is the total number of assets/devices in scope for cybersecurity monitoring?

A: For security reasons, detailed asset counts will not be publicly disclosed. Vendors should propose scalable solutions appropriate for a mid-sized municipality.

Q (Detailed Asset Inventory Breakdown): Please provide a detailed breakdown of all asset types, including but not limited to: • Endpoints (workstations, laptops) • Servers (physical and virtual) • Network devices (firewalls, routers, switches, VPNs) • Cloud workloads (e.g., virtual machines, containers, SaaS applications) • Identity systems (e.g., Active Directory, Azure AD) • Security appliances/tools (if applicable)

A: Detailed inventory information will not be publicly disclosed. Full details will be shared under NDA.

Q (Estimated Log Volume / Event Throughput): What is the estimated daily log ingestion volume (GB/day) or events per second (EPS)?

A: For security reasons, detailed ingestion metrics will not be disclosed. Vendors should estimate based on a mid-sized municipality.

Q (Existing Security Tools and Technology Stack): Does the City currently have a SIEM, EDR, or other security tools in place? If yes, which tools are deployed? Should the vendor leverage existing tools or propose new solutions?

A: Vendors should be prepared to integrate with existing technologies and/or propose alternative solutions.

Q (SLA Requirements for Alerting and Incident Response): What are the expected SLA requirements for: • Alert triage • Incident response notification

A: Vendors should propose Service Level Agreements (SLAs) aligned with industry best practices

Q (Scope of Incident Response Responsibilities): Does the City expect the vendor to: • Provide incident response guidance and recommendations only, or • Perform active containment and remediation actions (e.g., isolating endpoints, blocking malicious activity, applying fixes)?

A: The City prefers a collaborative model. Vendors may recommend actions, with containment and remediation subject to City approval unless pre-authorized.

Q (24/7 Monitoring and Response Expectations): Is the vendor required to provide 24/7 monitoring services? If yes, what is the expected level of response/remediation, for example: • Monitoring and escalation only • Monitoring with limited/ad hoc remediation • Full managed detection and response (MDR)

A: Yes, continuous monitoring is expected. Vendors should define their level of response, including escalation and remediation capabilities.

Q (SOC Delivery Model (New vs. Existing Tools)): Does the City expect the vendor to provide a complete SOC solution (including SIEM/EDR or other monitoring tools), or leverage existing tools?

A: Provide your recommended solution with optional breakdown.

Q (Incident Response Delivery Model (Onsite vs. Remote)): Is incident response support expected to be provided remotely (offsite), onsite, or both?

A: Primarily remote, with onsite support as needed.

Q (Additional Security Services Requirements): Are additional services such as vulnerability management, phishing simulations, or security awareness training expected as part of this engagement?

A: vendors should include these as optional services.

Q (Contract Term and Extension Options): Please confirm the initial contract term (base duration) and the total potential contract duration including all extension options.

A: Vendors should provide pricing for 1-, 3-, and 5-year terms. Final structure will be determined during contract award.

Q (Service Delivery Model (Onsite/Remote/Hybrid)): Is the overall service expected to be delivered remotely (offsite), onsite, or in a hybrid model?

A: A hybrid model is preferred.

Q (Budget Guidance / Expected Pricing Range): Can the City provide any budget guidance or expected range to help vendors align their proposed solutions appropriately?

A: Budget information will not be disclosed. Vendors should propose solutions aligned with the scope and market standards.

Q (Incident response & Threat Intelligence ): What are the expected SLAs for alert triage, escalation, and incident response, and should the vendor provide active containment/remediation or recommendations only, as well as perform proactive threat hunting (including expected frequency) and deliver threat intelligence tailored to municipal/government‑specific threats?

A: Vendors should propose Service Level Agreements covering alert triage, escalation, and incident response. Vendors should also include threat intelligence capabilities and may propose proactive threat hunting services. Threat intelligence refers to information used to identify and respond to potential threats.

Q (Security Monitoring & reporting): Should the vendor leverage existing tools or provide a fully managed SIEM/EDR platform, and are there any specific integration requirements (such as ticketing systems, identity platforms, or cloud services), along with the expected level of reporting detail (operational vs. executive dashboards) and the preferred escalation and communication channels for alerts and incidents?”

A: Vendors should support integration with common enterprise systems and provide both operational and executive-level reporting. Escalation procedures and communication methods should be clearly defined within the proposal.

Q ( Cybersecurity Advisory Services): What is the expected frequency and scope of advisory services (such as monthly reviews or strategic roadmap support), and are there priority security initiatives or critical municipal systems that require alignment, priority monitoring, or enhanced SLAs?

A: Vendors should propose advisory services such as regular security reviews and strategic recommendations. The frequency and scope of these services will be finalized during onboarding.

Q (Monitoring & Detection Approach): Will the vendor be provided secure remote access (VPN/read-only/privileged) for monitoring and incident response activities? Are there any existing detection rules/use cases available, or should the vendor build use cases from scratch?

A: Secure access will be provided as needed in accordance with City policies. Vendors should be capable of leveraging existing detection rules as well as developing new use cases where necessary.

Q (Project Timeline and Key Milestones): Could the City please provide the anticipated project timeline, including key milestones and the overall expected duration of the engagement?

A: Vendors should propose a detailed implementation timeline, including onboarding phases, milestones, and expected time to full operational capability.

Q (NDA): Is it possible to share City of Meriden's NDA to execute in order to submit a thorough response from a pricing / technology stack perspective?

A: The City can provide a Non-Disclosure Agreement upon request for shortlisted or selected vendors.

Q (No subject): What security tools are currently deployed (SIEM, EDR, email, identity, vulnerability mgmt)?

A: The City utilizes a range of security tools. Specific details will not be publicly disclosed and will be shared under a Non-Disclosure Agreement.

Q (No subject): What is the approximate scope (number of endpoints, servers, and identities) to be monitored?

A: Detailed asset counts will not be publicly disclosed. Vendors should propose scalable solutions appropriate for a mid-sized municipal environment.

Q (No subject): Do you expect full response (containment/remediation) or advisory-only support?

A: The City prefers a collaborative response model with vendor recommendations and City oversight.

Q (No subject): Do you require 24/7 active response, or just monitoring with escalation?

A: Continuous monitoring is required. Vendors should clearly define their response capabilities, including escalation and remediation options.

Q (No subject): During an active incident, who has authority to isolate endpoints, disable accounts, and block IPs?

A: The City retains final authority. Specific pre-authorized actions may be defined during onboarding.

Q (No subject): What are your expectations for reporting and governance (e.g., alignment to NIST CSF or CIS Controls, frequency of reviews)?

A: Vendors should align with recognized frameworks such as the NIST Cybersecurity Framework and CIS Controls. Reporting and governance structure will be defined during onboarding.

Q (No subject): What internal IT/security resources are available today, and what coverage gaps are you looking to fill?

A: For security reasons, detailed information regarding internal IT and security resources, staffing levels, and specific coverage gaps will not be publicly disclosed.

Q (No subject): Are there any key drivers or deadlines (e.g., audits, insurance requirements, recent incidents) influencing timeline?

A: The City continues to enhance its cybersecurity posture. Vendors should support timely implementation aligned with industry best practices.

Q (No subject): Do you prefer pricing based on assets, data volume, or tiered service levels, and how should multi-year pricing (1, 3, 5 years) be structured?

A: Vendors may propose pricing models based on assets, data volume, or tiered services. Multi-year pricing should be clearly defined with stated assumptions.

Q (No subject): Do you expect custom detection engineering or primarily out-of-the-box alerts?

A: Vendors should support both standard, out-of-the-box detections and the development of custom detection capabilities tailored to the City’s environment.

Q (No subject): Can you provide the approximate number of users and endpoint devices currently in scope for monitoring?

A: Vendors should size solutions based on typical municipal environments and ensure scalability.

Q (Existing Users & Assets): Could you share a complete inventory or list of all assets (servers, endpoints, network devices, identity systems, cloud services) that will be covered under this engagement?

A: A detailed asset inventory will not be provided as part of the RFP process. The selected vendor will work with the City during onboarding to validate and refine the asset inventory and monitoring scope.

Q (Existing Technologies): What security monitoring or logging technologies are currently deployed in your environment?

A: The City utilizes a combination of endpoint protection, identity management, and logging capabilities common to municipal IT environments.

Q (Existing Technologies): Are there existing SIEM or endpoint detection solutions in place that the vendor will need to integrate with?

A: There are existing tools in place within the environment. Integration will be discussed during on-boarding under NDA

Q (Tools / Technologies Requested): The RFP mentions SIEM and endpoint detection/response capabilities. Do you have preferred tools or platforms, or should the vendor propose these?

A: The City does not mandate specific tools and expects vendors to propose solutions that best meet the requirements outlined in the RFP.

Q (Tools / Technologies Requested): Are there any existing integrations with cloud services or identity management systems that the vendor should be aware of?

A: The City leverages common cloud and identity platforms typical of municipal environments. Vendors should assume integration with standard identity and cloud services and propose accordingly.

Q (🔹 Monitoring & Incident Handling): The RFP specifies 24/7/365 monitoring. Can you confirm if this is a strict requirement for continuous monitoring, or if partial coverage (e.g., business hours) would be acceptable?

A: Continuous 24/7/365 monitoring is the expected requirement.

Q (Monitoring & Incident Handling): For incident response support, do you expect the vendor to provide full hands-on remediation, or only advisory/containment recommendations?

A: Primarily remote, with onsite support as needed.

Q (Licensing & Post-Installation Support): Are you expecting vendors to provide only tool licensing, or full managed services including monitoring and incident handling?

A: The City is seeking a comprehensive solution that includes both technology and managed services, including monitoring and incident response capabilities.

Q (Licensing & Post-Installation Support): What level of post-installation support is expected (e.g., ongoing monitoring, advisory services, reporting)?

A: Ongoing support is expected to include continuous monitoring, incident response, reporting, and periodic advisory services to support the City’s cybersecurity posture.

Q (Licensing & Post-Installation Support): Can you confirm the type of Microsoft licenses currently in use (e.g., M365 G3, G5, G5 Security)?

A: The City utilizes Microsoft licensing appropriate for a municipal environment; however, specific licensing tiers are not being disclosed.

Q (Licensing & Post-Installation Support): Are there any plans to upgrade or change Microsoft licensing tiers in the foreseeable future?

A: The City continuously evaluates its technology stack and may adjust licensing as needed; vendors should propose flexible solutions that can adapt to changes.

Q (Reporting & Communication): The RFP mentions monthly reports and incident documentation. Are there specific formats or compliance requirements these reports must follow?

A: Reports should align with industry standards and clearly communicate both operational and executive-level insights. Vendors may propose formats, subject to City approval.

Q (General): Can you please confirm whether the proposal should be structured strictly as Part A (Qualifications) and Part B (Pricing), or if vendors should follow the individual upload sections in the eProcurement portal as the required submission format?

A: Yes, please follow the guidelines on the portal site showing the 2 separate Upload options

Q (General): Can you please extend the submission date by 1 week?

A: No unable to extend at this time- Thank you

Q (General): Key personnels work location will be onsite or remote?

A: Primarily remote, with onsite support as needed.

Q (No subject): Page 4, section 2 mentions “The City’s IT environment includes a combination of…”. Kindly provide approximate counts of servers, endpoints, network devices, firewalls, and cloud workloads to be monitored?

A: Specific counts are not being provided. Vendors should assume a typical mid-sized municipal IT environment and propose scalable solutions.

Q (No subject): What are the City’s expected SLAs for alert triage, incident escalation, and reporting?

A: The City expects timely triage and escalation aligned with industry best practices, with clearly defined SLAs proposed by the vendor and agreed upon during contract finalization.

Q (No subject): Are there any unsupported or legacy systems the vendor needs to plan for?

A: As with most municipal environments, some legacy systems may exist. Vendors should propose solutions capable of accommodating such systems where feasible.

Q (No subject): Technical Environment & Scale To accurately size the solution and pricing, you should ask for the specific counts of the infrastructure mentioned in the background: Endpoint Counts: Can the City provide the approximate number of endpoints (workstations and laptops) to be monitored? Server Environment: What is the total number of servers (physical and virtual) included in the scope? Network Infrastructure: How many firewalls, switches, and VPN concentrators will require log ingestion and monitoring? Log Volume: Does the City have an estimate of the average daily log volume (in GB/day) or average Events Per Second (EPS) for their environment? Cloud Presence: Which specific cloud-based services (e.g., Microsoft 365, Azure, AWS, Google Workspace) are currently in use and require integration?

A: Detailed metrics are not being provided. Vendors should propose solutions that are flexible and scalable to accommodate varying infrastructure sizes and log volumes.

Q (No subject): The RFP asks for "integration with existing City systems," so it is vital to know what those systems are: Existing Tools: What are the current brands/vendors for the City's existing firewalls, endpoint protection (AV/EDR), and identity management services? Current SIEM: Does the City currently utilize a SIEM, or is the vendor expected to provide the entire SIEM/log management platform as part of the service? Agents: Is the City open to installing vendor-provided agents on their endpoints and servers, or do they require an agentless solution?

A: The City operates a mix of standard IT and security platforms. Vendors should propose integration capabilities

Q (No subject): Operational & Service Requirements Incident Response Hours: Does the "Incident Response Support" include a specific number of remediation or forensic hours per year, or should this be priced as an on-demand, hourly service? Compliance: Beyond NIST and CIS, are there specific regulatory requirements the SOC must meet, such as CJIS (Criminal Justice Information Services) for public safety data? On-site Presence: Section 6 mentions "visit the site" to examine conditions. Is there an expectation for any portion of the SOC services or implementation to be performed on-site at City facilities? Escalation: What is the City’s current internal IT staffing level for cybersecurity, and who will be the primary point of contact for 24/7 escalations?

A: Vendors should propose incident response models, including hours and escalation procedures. Compliance with applicable standards is expected. Limited onsite presence may be required, and escalation will involve coordination with City IT leadership.

Q (No subject): Procurement & Pricing Evaluation Weighting: The RFP lists "Detailed Pricing" as 30% of the evaluation. Will the 1, 3, or 5-year plan be the primary basis for the pricing score? Implementation Timeline: Does the City have a target "go-live" date for the commencement of 24/7 monitoring services? Renewal Terms: The RFP mentions the potential for two additional three-year extensions. Should vendors include projected price escalations for these optional renewal terms in their current proposal.

A: Evaluation: Not necessarily Implementation: Vendors should support timely implementation aligned with industry best practices. Renewal: Yes, it would be appreciated.

Q (Environment Scoping): Can the City provide an approximate count of endpoint devices (workstations, laptops, tablets) and servers (physical and virtual) currently in the environment?

A: Exact counts are not being disclosed; vendors should assume a mid-sized municipal environment. Provide scalable solutions.

Q (Environment Scoping): How many physical locations or facilities does the City’s IT network span?

A: The City operates across multiple facilities typical of a municipal government, several building have most end user locations.

Q (Environment Scoping): What firewall platform(s) and VPN solution(s) are currently deployed?

A: The City utilizes commercially supported firewall and remote access solutions. Vendors should propose solutions compatible with common enterprise platforms.

Q (Environment Scoping): What is the City’s current Microsoft 365 licensing tier (e.g., E3, E5, G3, G5)?

A: Specific licensing tiers are not being disclosed.

Q (Integration and Technical): Is the City currently using Azure Active Directory / Microsoft Entra ID in addition to on-premises Active Directory?

A: The City utilizes modern identity management solutions, including cloud-based identity services.

Q (Integration and Technical): Can the City identify which cloud-based services are in scope for monitoring?

A: The City utilizes common cloud platforms typical of municipal environments; vendors should assume standard SaaS and cloud infrastructure services.

Q (Integration and Technical): What is the City’s expected or preferred log retention period for security event data?

A: Log retention should align with industry best practices and applicable regulatory requirements. Vendors may propose retention strategies for review.

Q (Compliance and Operations): Are there specific regulatory or compliance requirements applicable to the City’s IT environment (e.g., CJIS for public safety, PCI for payment processing, HIPAA)?

A: The City aligns with recognized cybersecurity frameworks and may be subject to applicable regulatory requirements depending on department and data type.

Q (Compliance and Operations): Does the City currently have a documented incident response plan?

A: The City maintains internal procedures and expects the selected vendor to support and enhance incident response capabilities.

Q (Contract): What is the anticipated contract start date following vendor selection?

A: TBD once Vendors have been shortlisted

Q (No subject): General Budget: To ensure our response is aligned with your expectations and avoids over‐ or under‐scoping, would you be able to share whether a budget range has been established for this initiative?

A: Budget information will not be disclosed. Vendors should propose solutions aligned with the scope and market standards.

Q (No subject): Technical Environment & Scale To accurately size the solution and pricing, you should ask for the specific counts of the infrastructure mentioned in the background: ● Endpoint Counts: Can the City provide the approximate number of endpoints (workstations and laptops) to be monitored? ● Server Environment: What is the total number of servers (physical and virtual) included in the scope? ● Network Infrastructure: How many firewalls, switches, and VPN concentrators will require log ingestion and monitoring? ● Log Volume: Does the City have an estimate of the average daily log volume (in GB/day) or average Events Per Second (EPS) for their environment? ● Cloud Presence: Which specific cloud-based services (e.g., Microsoft 365, Azure, AWS, Google Workspace) are currently in use and require integration?

A: Detailed technical metrics are not being provided at this stage. Vendors should propose scalable solutions based on typical municipal environments and include assumptions where necessary. Final scoping will occur during onboarding.

Q (No subject): Current Security Stack The RFP asks for "integration with existing City systems," so it is vital to know what those systems are: ● Existing Tools: What are the current brands/vendors for the City's existing firewalls, endpoint protection (AV/EDR), and identity management services? ● Current SIEM: Does the City currently utilize a SIEM, or is the vendor expected to provide the entire SIEM/log management platform as part of the service? ● Agents: Is the City open to installing vendor-provided agents on their endpoints and servers, or do they require an agentless solution?

A: Detailed technical metrics are not being provided at this stage. Vendors should propose scalable solutions based on typical municipal environments and include assumptions where necessary. Final scoping will occur during onboarding.

Q (No subject): Operational & Service Requirements ● Incident Response Hours: Does the "Incident Response Support" include a specific number of remediation or forensic hours per year, or should this be priced as an on-demand, hourly service? ● Compliance: Beyond NIST and CIS, are there specific regulatory requirements the SOC must meet, such as CJIS (Criminal Justice Information Services) for public safety data? ● On-site Presence: Section 6 mentions "visit the site" to examine conditions. Is there an expectation for any portion of the SOC services or implementation to be performed on-site at City facilities? ● Escalation: What is the City’s current internal IT staffing level for cybersecurity, and who will be the primary point of contact for 24/7 escalations?

A: Answered in previous questions

Q (No subject): Procurement & Pricing ● Evaluation Weighting: The RFP lists "Detailed Pricing" as 30% of the evaluation. Will the 1, 3, or 5-year plan be the primary basis for the pricing score? ● Implementation Timeline: Does the City have a target "go-live" date for the commencement of 24/7 monitoring services? ● Renewal Terms: The RFP mentions the potential for two additional three-year extensions. Should vendors include projected price escalations for these optional renewal terms in their current proposal.

A: Evaluation: Not Necessarily Implementation: Will be discussed at short list interviews Renewal: Yes Please

Q (No subject): Environment & Scope • How many endpoints, servers, and network devices are in scope for monitoring? • What cloud platforms does the City currently use (Microsoft 365, Azure, AWS, etc.)? • What identity management platform is in use (Active Directory, Azure AD/Entra, etc.)? • Does the City have an existing SIEM or EDR solution, and if so, which one? Will the vendor be expected to operate it or replace it? • Are public safety systems (police/fire) included in scope, or only administrative IT? • What IT ticketing systems are currently in place? • Will the customer require access to security automation tool? *(this might require us to develop additional user roles) Incident Response • What is the City's expectation for incident response SLAs (e.g., time to escalate a critical alert)? • Is hands-on remediation expected, or advisory/guidance only? Pricing & Contract • What is the anticipated contract start date and initial term length before renewal options apply? • Is there a budgetary range or not-to-exceed figure the City can share? • Will pricing be evaluated on the 1-year, 3-year, or 5-year figure as the primary basis for comparison? Compliance & Data • Are there specific Connecticut state or federal compliance requirements the vendor must support (e.g., CJIS for public safety data)? • Will the vendor have access to sensitive or personally identifiable information, and are there specific data handling requirements? • Are there scheduled reporting requirements and if so, who is the intended recipient? Incumbent & Transition • Is there a current cybersecurity services vendor? If so, will transition support be required?

A: Answers are in previous questions.

Q (SOC Monitoring Scope): 1. What is the total number of users/endpoints, servers, and network devices in scope for monitoring? 2. Does the City currently have a SIEM platform? If yes, please specify vendor 3. What is the current daily log ingestion volume (GB/day)? 4. What is the average monthly alert volume (last 6 months) and percentage of true positives and False positives? 5. What are the key log sources to be onboarded (e.g., AD, O365, firewalls, EDR, VPN, SaaS apps)?

A: Answers provided in previous questions

Q (Security Monitoring Technology): 1. Does the City currently have an EDR/XDR solution deployed? If yes, which vendor? 2. Are there any priority or critical system integrations the city expects as part of this engagement (e.g., public safety systems, SCADA/OT environments, CJIS-related systems)?

A: Answered in previous questions

Q (Incident Response Support): 1. Does the City have an existing Incident Response plan/runbooks? Will vendor be required to develop/update these? 2. Does the City have any Incident Response Retainer arrangements?

A: The City maintains internal processes and expects vendors to support, enhance, and potentially formalize incident response capabilities.

Q (Threat Intelligence): Does the City currently utilize any threat intelligence platforms or external threat intelligence feeds for enrichment and analysis? If not, is the vendor expected to propose and provide a Threat Intelligence Platform (TIP) as part of the solution?

A: Vendors may propose threat intelligence capabilities as part of their solution.

Q (Frameworks): Are there any mandatory compliance requirements (e.g., CJIS, IRS 1075, HIPAA, NIST 800-53)?

A: Answered in previous questions

Q (24/7 SOC requirement): What is the City’s expected Service Level Agreements (SLAs) for security operations, specifically for alert acknowledgment, initial triage, escalation, and incident response activities

A: Vendors should propose SLAs aligned with industry standards, subject to agreement with the City.

Q (Continuous monitoring): What Key Performance Indicators (KPIs) will the city use to evaluate vendor performance, such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), SLA adherence, and false positive rates?

A: Performance will be evaluated based on standard SOC metrics such as response times, SLA adherence, and overall service effectiveness.

Q (Vendor tools to be described): Is the City open to a vendor-provided SIEM/XDR platform as part of the proposed solution, or does it prefer to leverage and integrate with its existing security tools?

A: Yes, vendors may propose their own platforms or integrate with existing tools.

Q (Integration requirement): Who will be responsible for procuring and owning the security platform licensing—the city or the vendor (e.g., vendor-managed SaaS model)?

A: Licensing models may be vendor-provided or City-owned; vendors should clearly define their approach.

Q (Improve visibility): What are the current gaps, challenges, or pain points in the City’s existing security operations that this RFP aims to address?

A: This will be addressed, if you are short listed.

Q (Strengthen posture): Have there been any recent security incidents, audit findings, or risk assessments that have prompted this RFP? If so, can the city share relevant details or key themes to help align the proposed solution?

A: The RFP is part of the City’s ongoing effort to enhance cybersecurity capabilities and address evolving risks.

Q (Incident reporting): Does the City currently use an IT Service Management (ITSM) tool (e.g., ServiceNow)? If so, is the vendor expected to integrate with the existing platform, or provide and operate its own ITSM solution?

A: answered in previous questions

Q (No subject): What are the number of Servers, operating systems, versions and types (SQL, File, DC, Web, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (No subject): What are the number of Endpoints and Type of Operating Systems (MacOS, Windows, Linux)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (No subject): What are the number of network devices, type, and version?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (IOC enrichment): Are there any region-specific or government-mandated threat intelligence feeds (e.g., MS-ISAC) that the vendor is expected to integrate with or utilize as part of the solution?

A: answered in previous questions

Q (No subject): What are the number and type of Identity systems?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (Log sources): Are there any compliance or regulatory requirements governing log retention (e.g., 90 days, 1 year)? If so, please specify the applicable standards and retention durations.

A: Answers provided in previous questions

Q (No subject): What are the number of Cloud services and platform (Azure, Google, AWS) and any additional cloud protection services?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (SOC support required): Is the City open to exploring non-USA/offshore based hybrid options or should the requested services be delivered from onshore?

A: US based solutions are preferred.

Q (No subject): Can the City provide a detailed inventory of assets in scope (endpoints, servers, network devices, cloud workloads)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions and document assumptions.

Q (No subject): What are the primary business drivers for City through this RFP (e.g., compliance, recent incidents, audit findings, capability gaps)?

A: Answered in previous questions

Q (No subject): What are the number of Firewalls, type and version?

A: Answered in previous questions

Q (No subject): What are the VPN systems, type and versions?

A: answered in previous questions

Q (No subject): What are the number of AI platforms, type (i.e., CoPilot, ChatGPT, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What type of Multi-factor authentication platforms (Authenticator, Cisco DUO, etc. does Meriden use?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number of SaaS/PaaS/IaaS applications, platforms, and infrastructure (SAP, Workday Salesforce, Private Clouds, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number ofCloud Protection services (Akamai, Cloudflare, Acronis)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number and Type of ticketing system (Jira, ServiceNow, SolarWinds, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number and type of data lakes?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number and types of Privileged Access Management, Privileged Identity Management, or Just In Time security tools? Name and types (CyberArk, Microsoft, Palo Alto, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What is the number Number and level of protection for Social Media (Doppel, etc.)?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number and type of Vulnerability Management tools?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): What are the number and type of GRC /ERM platforms and modules?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (Scope of Services (Based on SOC & Monitoring Scope)): 3. Does the scope include vulnerability assessments or penetration testing, or should these be proposed as optional services? 4. Are there any specific systems, applications, or departments that are excluded from SOC monitoring coverage? 5. Are vendors expected to onboard all listed environments (on-premise, cloud, endpoints, network, identity systems) at project initiation, or will onboarding be phased?

A: Additional services may be proposed as optional. A phased onboarding approach is anticipated.

Q (Technology & Integration (Based on SIEM/EDR Requirements)): 6. Are there any technical or architectural constraints that vendors should consider when proposing their monitoring solution? 7. Does the City currently utilize any SIEM, EDR, or security tools that the selected vendor must integrate with?

A: Vendors should assume a standard municipal IT environment and propose accordingly.

Q (Access & Security Operations): 8. What access mechanisms will be provided to the selected vendor (e.g., VPN, secure remote access), and are there defined security requirements for such access?

A: Secure remote access will be provided as needed, in accordance with City security policies.

Q (Staffing & Qualifications (Based on Vendor Qualification Section)): 9. Are there any mandatory background checks or security screening requirements for vendor personnel? 10. Are there any residency or location-based restrictions for personnel supporting this engagement?

A: 9. Yes background & screening will be required 10. No, Primarily remote, with onsite support as needed.

Q (Timeline & Implementation (Based on Timeline Section)): 11. Could the City provide an expected onboarding and implementation timeline following contract award? 12. Is there an incumbent cybersecurity or SOC service provider, and will transition support or knowledge transfer be required?

A: An onboarding timeline will be established post-award. There may be an incumbent, and transition support may be required.

Q (SLA & Reporting (Based on Reporting Requirements)): 13. Are there defined Service Level Agreements (SLAs) for alert response, incident escalation, and resolution timelines? 14. Are there specific performance metrics or KPIs that will be used to evaluate vendor performance during the contract?

A: SLAs and KPIs will be defined in collaboration with the selected vendor and aligned with industry standards.

Q (Evaluation & Procurement Process (Based on Evaluation Section)): 15. Will shortlisted vendors be invited to participate in presentations, demonstrations, or interviews as part of the evaluation process?

A: Possibly - Depends upon the number of firms we end of short listing.

Q (Identity & Access Management): 1. What IAM solutions are currently used (e.g., Active Directory, Azure AD, third-party IAM)? 2. Is Multi-Factor Authentication enabled across users, admins, and remote access? 3. Are privileged access management (PAM) controls in scope?

A: The City utilizes standard identity management and access control practices, including multi-factor authentication where appropriate.

Q (IT & Infrastructure): 1. Approximate number of: Servers (physical & virtual) Endpoints (workstations, laptops, mobile devices) Network devices (firewalls, switches, routers) Cloud workloads and SaaS applications 2. Which cloud platforms are currently in use (e.g., Azure, AWS, Microsoft 365, Google Workspace)? 3. Are there any OT / ICS / public safety systems (e.g., police, fire, utilities) that need SOC monitoring? 4. Are there segmented environments (e.g., CJIS, public-facing, internal admin systems)?

A: The environment includes a mix of IT systems typical of municipal operations, potentially including segmented environments.

Q (Existing Security Stack): 1. What security tools are currently deployed? -SIEM (if any) -EDR / Antivirus -Firewall vendors -Email security -Vulnerability management tools 2. Is the City expecting the vendor to: -Integrate with existing SIEM/EDR, or -Propose and include new tools as part of the service?

A: The City operates a mix of security tools and expects vendors to either integrate with or enhance the existing environment.

Q (SOC Operations & Monitoring Expectations): 1. Is the expectation full 24/7/365 active response or 24/7 monitoring with business-hours coordination? 2. Are there specific threat scenarios of concern (e.g., ransomware, phishing, insider threats)? 3. Should monitoring align with specific frameworks (NIST CSF, CIS Controls) beyond what’s mentioned?

A: The City expects comprehensive monitoring and response aligned with common threat scenarios such as ransomware and phishing.

Q (Onboarding & Implementation): 1. Expected onboarding timeline from contract award? 2. Are internal resources available to support deployment (IT, security, vendors)? 3. Is there an expectation for phased onboarding vs. full-cutover?

A: A phased onboarding approach with support from internal IT resources is anticipated.

Q (Commercial & Pricing): 1. Could the City clarify the expected payment schedule for the proposed 1, 3, and 5-year pricing (e.g., monthly, annual, or milestone-based)? 2. Are vendors permitted to include cost escalation or index-based adjustments across multi-year pricing options?

A: 1. It can be proposed as an annual or monthly cost- That's up to you. 2. Yes

Q (Environment Scoping): Does the City currently have an endpoint detection and response (EDR) or antivirus solution deployed? If so, which product?

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (No subject): How many endpoints (i.e. desktops, laptops, and servers) would be in scope for this MDR service? How many firewalls are being leveraged in the current environment? Can you also provide what vendor these appliances are? How many active users are in the environment today? Is the organization using an Identity Provider like EntraID or Okta today? Please specify. How many Windows servers are in scope today? How many Linux servers are in scope today? What Endpoint Detection & Response (EDR) solution is being leveraged by the organization today? Or does the City expect the chosen provider to provide licensing for this type of tool? What systems is the City expecting providers to integrate with (reference page 10 under "Security Monitoring Technology")? Knowing the vendor and product information can help providers ensure support is available.

A: Specific inventories and counts are not being disclosed. Vendors should propose scalable, flexible solutions.

Q (NDA?): When will the NDA come in to play? It appears that there will be many answers to these questions?

A: It will be discussed during vendor short list.