Town of Manchester, Connecticut General Service Department

Request for Proposal For

Manchester Public Library Category 2 eRate Managed WIFI

RFP No. 15/16-79

Proposals Due:

April 11, 2016 @ 4:00 p.m.

General Services Department 494 Main St. Manchester, CT 06040

(860) 647-3031 Fax (860) 647-5206

Town of Manchester General Services Department

494 Main St. Manchester, CT 04040 (860) 647-3031

Fax (860) 647-5206 1. INTENT It is the intent of the Town of Manchester to have a vendor(s) maintain and manage the Town’s WIFI network and provide on call maintenance and support services. The Town is seeking proposals from vendors who provide Network Access Control Management Services, Firewall equipment upgrades, and cyber security protection instrumentation for use by the Management Vendor and Municipal technical staff to monitor, troubleshoot and maintain this architecture for the Public Library services. The potential award of this proposal is contingent upon availability of eRate funding for the project. 2. PROJECT SCOPE The Procurement of Managed WiFi Networking for the Manchester Library is scoped to include Public Access Points and Software Technology operating in the Town of Manchester’s city-wide dark fiber optic network (Manchester FiberNet). Two library locations, and public Internet access provided at varying locations on the Manchester FiberNet (ranging from the campus grounds of the Manchester Community Collage to small parks such as the park adjoining the Mary Cheney Public Library, the Town Hall, a public innovation-type incubator site at 903 Main Street between the Bennet Middle School Academy and the Mary Cheney Library) all represent the physical location diversity of the managed WiFi Network. Manchester’s Public WiFi “Hot Spots” can be seen listed on the Town of Manchester Web Site. The Key understanding for network management efficiency centers on the fact that the WiFi service is interconnected across the city’s FiberNet. The list of National Institute of Science and Technology “Critical Controls” as the SANS Institute lists them in the response spreadsheet in the Appendix are deployed on this FiberNet. As a Category Two application, we would like to apply for Access Point Internet Connection device hardware and Managed WIFI Service with Basic software upgrade, software patch, bug fix, security patch Maintenance and Technical Support service for our public WIFI carrying Internet connectivity for Municipal Library Service. The SANS & NIST Controls represent the framework for this RFP. Various manufacturers and service providers have varying offerings on this list as represented by their specific products and services – Manchester has implemented the noted controls that are being requested as Managed WiFi Services for this eRate published RFP.

Included with this RFP in Appendix I are the following attachments which provide more detailed information regarding Manchester’s Network Environment.

1. Picture – structured cyber security architecture – generalized. 2. Library WIFI map of 15 locations in Manchester. 3. SANS/NIST list with RFP detail worksheet. 4. FCC Form 471: Funding Item 21c.

3. SUBMISSION DEADLINE All proposals must be received by 4:00 p.m., April 11, 2016. Five (5) hard copies and one electronic copy shall be placed in a sealed envelope and clearly marked “MANCHESTER PUBLIC LIBRARY CATEGORY 2 ERATE MANAGED WIFI”, RFP NO. 15/16-79. Proposals shall be submitted to the Director of General Services as indicated: HAND DELIVERY U.S. POSTAL SERVICE MAIL DELIVERY Town of Manchester, Connecticut Town of Manchester, Connecticut Mr. Gerald R. Dupont Mr. Gerald R. Dupont Director of General Services Director of General Services Lincoln Center Lincoln Center 494 Main Street 494 Main Street, P.O. Box 191 Manchester, CT 06040 Manchester, CT 06045-0191 All proposals shall be opened publicly and recorded as received. There will be no public reading of Proposals. Proposals received later than time and date specified will not be considered. All proposals shall remain firm and cannot be withdrawn for a period of 90 days after receipt of proposals. 4. QUESTIONS AND ADDENDA Questions regarding this RFP may be directed to Gerald Dupont, Director of General Services, via email gensvcs@manchesterct.gov or by fax (860) 647-5206 no later than five (5) days prior to the date proposals are due. All information given by the Town except by this RFP, and written addenda (if necessary) shall be informal and shall not be binding upon the Town nor shall it furnish a basis for legal action by any Proposer or prospective Proposer against the Town. Answers to questions, if appropriate, will be addressed in an addendum which will be issued by the Town of Manchester. This Request for Proposal and any addendum shall be issued on the Town web page http://generalservices1.townofmanchester.org/index.cfm/bids/ and eRate website http://www.usac.org/sl/service-providers/beforeyoubegin/default.aspx. It shall be the responsibility of all interested firms to check the Town website for addenda prior to submitting a response to this Request for Proposal. No addendum shall be issued less than 2 calendar days before the due date unless it is to postpone the due date.

5. ORGANIZATION AND CONTENT OF PROPOSALS In order to facilitate the analysis of responses to this RFP, vendors are required to prepare their proposals in accordance with the instructions outlined in this section. Vendors whose proposals deviate from these instructions may be considered non-responsive and may be disqualified at the discretion of the Town. Proposals should be prepared as simply as possible and provide a straightforward, concise description of the vendor’s capabilities to satisfy the requirements of the RFP. The requirements response section of the proposal should be submitted on a CD and in hard-copy as part of the submitted document. Expensive bindings, color displays, promotional material, etc., are not necessary or desired. Emphasis should be concentrated on accuracy, completeness, and clarity of content. All parts, pages, figures and tables should be numbered and clearly labeled. The proposal should be organized into the following major sections. A. SUBMITTAL LETTER Respondents shall submit a cover letter addressed to Gerald Dupont, signed by an authorized principal or agent of the respondent which provides an overview of the respondent’s offer, as well as the name, title, and telephone number of the person to whom the Town of Manchester may direct questions concerning the proposal. The letter should also include a statement by the respondent accepting all terms and conditions contained in this RFP, signed by an officer or other individual with authority to negotiate and contractually bind the firm. B. COMPANY BACKGROUND Vendors must provide the following information about their company so that the Town can evaluate the vendor’s ability to support the commitments set forth in response to the RFP. The Town, at its option, may require a vendor to provide additional support and/or clarify requested information. The vendor should outline the company’s background, including: 1. How long the company has been in business. 2. A brief description of the company size and organization. 3. The number of software installs and size of each (number of users). C. RESPONSES TO THE SYSTEM REQUIREMENTS Vendors shall respond to this RFP by using the SANS/NIST Controls spreadsheet included with the RFP documents. Manchester understands that a successful bidder may not address all the controls that are in place nor choose to provide expansions on the existing controls that Manchester’s Network Security needs because of the wide range of control sources that have been implemented over the years. Vendor responses shall follow the framework of the spreadsheet and complete each column as follows. Column G: No Bid If vendor is unable to provide the service, they should indicate “No Bid” in this column. If vendor is providing this service as part of another element, indicate $0.00.

Column H: Bid $ Amount Vendor shall indicate cost of proposed service offered. Column I: Bid Page Vendor shall indicate a referenced page number in their response where response information is detailed. Column J: Service or Implementation Element Vendor shall indicate product or service corresponding with critical security control line item. Columns K through O USAC Item 21c – Managed Internal Broadband Services-Version 15.1 This information comes directly from the eRate website. On the eRate website, the vendor is presented with a dropdown menu of options for column K. The options are:

• Managed and leased from a third party service provider; • Managed by third party service provider, and purchased from them or other vendor; or • Managed services contract of already installed equipment.

Vendor shall select the option which best describes their offering and complete this proposal with the same choice. 6. REFERENCES Vendor shall provide references utilizing solutions proposed in the RFP. References shall include contact name, title, address, telephone numbers and email addresses. 7. EXCEPTIONS Vendors taking exceptions to any requirement in this RFP shall state and explain such exceptions. The Town may accept proposals which take exception to any requirements in this RFP, or which offer any alternative to a requirement contained herein. Any exception or alternative must be clearly delineated and cannot materially affect the substance of this Request for Proposal. 8. DRAFT AGREEMENTS Provide samples of proposed solution agreement, support and service agreement and implementation agreement. 9. SELECTION PROCESS The Town will evaluate all proposals deemed responsive to this request by a committee selected by the Town of Manchester. The submissions will be assessed as to adequacy according to the Appendix materials and examples in use in Manchester’s FiberNet.

Proposals will be evaluated by the Town based on the following criteria:

• Quality, clarity and responsiveness of proposal. • Functional and Technical capabilities. • Installation, implementation and training plan. • Demonstrated performance of proposed system elsewhere, system maintenance, updating and ongoing technical support and references. • Cost.

The Town of Manchester shall select the responsible and responsive Proposal which is determined by the Town to be the best suited, most advantageous, and provides the greatest overall benefit to the Town on the basis of the criteria and evaluation factors included in this Request for Proposal. Cost shall be only one factor in the award decision. The Town expressly reserves the right to negotiate with the selected vendor prior to an award of any contract pursuant to this Request for Proposal. 10. GENERAL PROVISIONS A. The Town of Manchester is an equal opportunity employer, and requires an affirmative action

policy for all of its Contractors and Vendors as a condition of doing business with the Town, as per Federal Order 11246. By submitting a Proposal for this Request for Proposal, all vendors and contractors agree to this condition of doing business with the Town and should the Town choose to audit their compliance, the vendor agrees to cooperate fully.

B. Any act or acts of misrepresentation or collusion shall be a basis for disqualification of any

proposal or proposals submitted by such persons guilty of said misrepresentation or collusion. In the event that the Town enters into a contract with any bidder who is guilty of misrepresentation or collusion and such conduct is discovered after the execution of said contract, the Town may cancel said contract without incurring liability, penalty or damages.

C. All deliveries of commodities or services hereunder shall comply in every respect with all

applicable laws of the Federal Government and/or the State of Connecticut. Purchases made by the Town of Manchester are exempt from payment of Federal Excise Taxes and the Connecticut Sales Tax and such taxes must not be included in bid prices. Federal Excise Tax exemption certificates, if requested, will be furnished.

D. The Town reserves the right to reject any and all proposals, to waive any informalities or

technical defects in any proposal or discontinue this process at any time and to negotiate fees and final scope of service with selected firm. Non selection of any proposal will mean that another acceptable proposal was deemed to be more advantageous to the Town of Manchester or that no proposal was accepted.

E. The Town will not be liable for any costs incurred in the preparation of the response for this

Request for Proposal. All proposal submissions and materials become property of the Town and will not be returned. Respondents to this RFP are hereby notified that all proposals submitted and information contained therein and attached thereto shall be subject to disclosure under the Freedom of Information Act after evaluation and award decisions have been made.

F. These specifications in their entirety are the property of the Town of Manchester. The Proposer shall not copy or disseminate any portion of these specifications without express written authorization from the Town of Manchester, except as necessary in the preparation of a proposal. Any authorized copies of these specifications or portions thereof shall include a similar paragraph prohibiting further copying or dissemination.

G. Assignment by the successful respondent to a third party of any contract based on the Request for

Proposal or any monies due is prohibited and will not be recognized by the Town of Manchester unless approved by the Town in writing.

H. Selected consultants shall at its own expense and cost, obtain and keep in force, insurance per the

attached limits during the duration of the project. Insurance coverage shall cover the consultant, all of its agents, employees, subcontractors and other providers of services.

1. Firms providing professional services must provide A., B., or C. below, along with the

following: Errors and Omissions-aggregate limit of liability $1,000,000.

A. General Liability and Property Damage - $2,000,000 aggregate $1,000,000 each occurrence B. Workers’ Compensation – as required by Connecticut State Statute

The contractor shall indemnify and hold harmless the Town of Manchester and their agents and

employees from and against all claims, damages, losses, and expenses, including attorney’s fee of counsel selected by the Town of Manchester, arising out of or resulting from the performance of the work, and/or the supplying of materials, provided that any such claim, damage, loss or expense (a) is attributable to bodily injury, sickness, disease, or death, or to injury to or destruction of tangible property including the loss of use resulting therefrom and (b) is caused in whole or in part by any negligent act or omission of the Contractor, any Subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable, regardless of whether or not it is caused in part by a party indemnified hereunder.

11. MANCHESTER LIVING WAGE ORDINANCE

This bid is subject to the provisions of the Town of Manchester Living Wage Ordinance. A summary description of the ordinance and the certification form is attached. Contractors are asked to indicate on the attached Certification Form if your firm would be considered a covered employer. The Certification Form shall be returned to the Town with the proposal.

Summary Description for Vendors Regarding Manchester’s Living Wage Ordinance

Effective February 1, 2010, the Town of Manchester adopted a living wage ordinance. This Summary Description is designed to provide any vendor bidding on a Town of Manchester contract with the key provisions of that ordinance. It does not contain the full ordinance. LIVING WAGE REQUIREMENT: The ordinance requires that companies awarded service contracts by the Town of Manchester exceeding $25,000 in any one fiscal year pay their Eligible Employees a living wage. Companies considered Covered Employers subject to this requirement are defined below. The Town of Manchester has determined that the contract resulting from this bid or Request for Proposals will be subject to the ordinance if the total contract value is $25,000 or more in any one fiscal year. The living wage is currently calculated to be $13.41/hour for employees that are provided comprehensive health care benefits, or $17.13/hour for employees that are not provided comprehensive health care benefits. The living wage and health benefit requirements are adjusted annually each July, effective July 1, 2010. Companies will be required to pay the applicable living wage rate in effect during the term of their contracts. COVERED EMPLOYERS AND EXEMPTIONS: The ordinance requires that Covered Employers pay the living wage rate. Certain employers are excluded from paying the living wage rate. They are as follows: - Non-profit organizations as defined by the ordinance, and - Entities that employ less than 25 eligible employees. ELIGIBLE EMPLOYEES: Eligible employees are all permanent, full time employees of the company (defined as a normal work week of at least 30 hours), working in the State of Connecticut, not just those working on the Town contract. The following are not considered eligible employees for the purposes of the living wage requirement: - Employees with a normal work week of less than 30 hours.

- Seasonal or temporary employees.

- Employees under the age of 18.

- Employees hired as part of a school-to-work program. - Students who serves in a work-study program or as an intern.

- Trainees participating for not more than six months in a training program. - Employees enrolled in a governmentally funded vocational rehabilitation program. - Volunteers working without pay. - Employees exempted under Section 14(c) of the Fair Labor Standards Act due to disabilities. - Any person whose wage rate is subject to a federal or State of Connecticut statute or regulation

mandating a prevailing wage rate. EMPLOYER OBLIGATIONS: Covered Employers are required to do the following pursuant to the ordinance. - Certify with the submission of their bid or proposal a) that they will pay the required living wage to

eligible employees if awarded a contract, or b) that they are exempt from requirements of the ordinance,

- Upon award, covered employers shall provide the Town a sworn affidavit affirming that all eligible

employees of the covered employer working in the State of Connecticut are receiving the living wage and health benefits required by this ordinance.

- This sworn affidavit shall be provided thereafter on an annual basis within 30 days of a request

being made by the Town if the duration of the contract exceeds one (1) year. - Notify their employees of their rights under the Living Wage Ordinance by posting a copy of the

ordinance and other materials prepared by the Town of Manchester in locations where employees will see them.

- Make best efforts to attempt to hire residents of the Town of Manchester for all new positions

which result from a service contract subject to the ordinance. PROHIBITED PRACTICES: - Covered Employers cannot decrease non-wage benefits (such as insurance, vacation, or pension) as

a means of complying with the living wage requirements. - Covered Employers cannot retaliate or discriminate against any employee for making a complaint

against the covered employer regarding compliance with living wage requirements.

ENFORCEMENT: The Town may enforce the provisions of this ordinance by the imposition of fines, suspension of contract or declaring the Covered Employer ineligible for future contracts. WAIVERS: The ordinance provides for the waiver of certain requirements in the ordinance. However, no waivers will be considered until the bidding process has been completed and a contract has been awarded. Requests for waivers must be made by the Covered Employer, in writing, to the General Manager. The General Manager shall submit the waiver request to the Board of Directors, which shall have the sole discretion as to whether it is granted. The above is intended to be a summary of the requirements of the living wage ordinance as they affect covered employers and is provided for informational purposes only. Employers should read the entire Living Wage Ordinance. It can be found online at www.townofmanchester.org on the left side of the page. Click on Document Center, scroll to General Services and click on Living Wage Ordinance.

TOWN OF MANCHESTER LIVING WAGE CERTIFICATION FORM

The Town of Manchester has determined that this contract may be subject to the provisions of the Manchester Living Wage Ordinance, Chapter 212 of the Manchester Code of Ordinances, Sections 212-1 through 212-11. Bidders are required to indicate whether they are a Covered Employer as defined by the Manchester Living Wage Ordinance or are exempt from the requirements by marking the appropriate section below. FAILURE TO INDICATE MAY RESULT IN THE REJECTION OF YOUR BID. I/We are a covered employer and shall pay the required living wage to eligible

employees and comply with the requirements of the ordinance during the term of the contract.

Or that:

I/We are not a Covered Employer and therefore not subject to Manchester’s Living Wage Ordinance for the reason indicated below: ____ Charitable foundations, charitable trusts or nonprofit agencies or nonprofit

corporations, provided that the foundation, trust or nonprofit agency or corporation is exempt from federal income taxation and may accept charitable contributions under Section 501 of the Internal Revenue Code of 1986, or any subsequent corresponding internal revenue code of the United States, as from time to time amended.

____ Bidder employs less than twenty five (25) eligible employees. ____ Annual contract value is less than $25,000. I, of do hereby certify Officer, Owner, Authorized Rep. Company Name that the representations made above are accurate for : Bid Name or RFP Name Signed by: Dated: TO BE RETURNED WITH BID OR RFP SUBMISSION.

APPENDIX I

!(9

!(8

!(7

!(6

!(5

!(3

!(2

!(15

!(14

!(12

!(11

!(4

!(1

!(13

!(10

¬«4¬«4

¬«3¬«3

¬«2

¬«2

¬«61

¬«63

¬«62¬«62

¬«59¬«60

¬«61

§̈¦84

§̈¦84

§̈¦84

§̈¦384

§̈¦384

£¤6

£¤6

£¤6

£¤44

£¤83

£¤83

£¤83

£¤83

£¤30£¤83

£¤44

£¤44

£¤534£¤534

£¤502

Public Wi-Fi in Manchester, CT

:

WiFi_locations2016_2.mxd

TOWNHALL

CENTERPARK

LINCOLNCENTER

MARYCHENEYLIBRARY

MAIN

ST

PEARL ST

LINDE

N ST

MADI

SON

STHAZEL ST

CENTER ST/US RT 6 AND 44

MAIN

ST/C

T RT 8

3

TROTTER ST

!(9

!(2!(1

!(10

# NAME ADDRESS1 MARY CHENEY LIBRARY 586 MAIN ST2 CENTER PARK 586 MAIN ST3 WHITON MEMORIAL LIBRARY 100 N MAIN ST4 AXIS 901 901 MAIN ST5 MCC ON MAIN 903 MAIN ST6 BENNET ACADEMY 1151 MAIN ST7 CENTER SPRINGS PARK REC CENTER 39 LODGE DR8 NORTHWEST PARK REC OFFICE 446-1 TOLLAND TPKE9 TOWN HALL 41 CENTER ST

10 LINCOLN CENTER 494 MAIN ST11 POLICE COMMUNITY ROOM 239 MIDDLE TPKE E12 MCC CAMPUS 1 GREAT PATH RM E10113 COMMUNITY Y 78 N MAIN ST14 YOUTH SERVICE BEAU 153 SPRUCE ST15 SENIOR CENTER 549 MIDDLE TPKE E

Must be filled out for eRate eligibility: Type_of_Managed_Service_AgreementNIST Recommended Security Controls -File:SANS and NIST Manchester Managed WiFi Bid Spec.xls Town Implemented Controls Managed and leased from a third party service provider

SANS NIST800-53ACritical Security Controls Example / Explanation WiFi Bid Policy or Implementation Elements in Type of Managed Service Agreement

No Bid Bid $ Amount Bid PageEnter Vendor's Product or Service

corrusponding to it's Critical Security Control line item Type of Managed Service Agreement

Monthly Recurring Eligible Cost

Monthly Recurring Ineligible Cost

One-time Eligible Cost

One-time Ineligible Cost

Managed by third party service provider, and purchased from them or other vendors

CSC–01 Inventory of Authorized & Unauthorized Devices * Managed services contract of already installed equipmentCSC–01 CA–07 Continuous Monitoring Ports * SonicWall , Alien VaultCSC–01 CM–08 Information System Component Inventory Inventory *CSC–01 IA–03 Device Identification and Authentication Directory Systems * Microsoft AD, Packet Fence NAC,CSC–01 SI–04 Information System Monitoring Intrusion Detection * Firewalls, NESSUS, Alien Vault, OSSEC-like Log analyticsCSC–02 Inventory of Authorized and Unauthorized Software *CSC–02 CA–07 Continuous Monitoring Intrusion Detection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/DCSC–02 CM–02 Baseline Configuration Switch/Router OS,PC * Alcatel OS, Cisco IOS, Microsoft OS's CSC–02 CM–08 Information System Component Inventory Network OS * Alcatel OS, Cisco IOS, Packet FenceCSC–02 CM–10 Software Usage Restrictions Network OS * Microsoft AD Policies, Packet FenceCSC–02 SI–04 Information System Monitoring Intrusion Detection * Alien Vault, SonicWall Firewall, Packet Fence Network Access Control, MS A/DCSC–03 Secure Configurations for Mobile Devices, Workstations, Servers *CSC–03 CA–07 Continuous Monitoring Intrusion Detection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/DCSC–03 CM–02 Baseline Configuration Switch/Router OS,PC * Alcatel OS, Cisco IOS, Microsoft OS's CSC–03 CM–03 Configuration Change Control Systems Update System (SUS) * Microsoft OS SUS, Product vendor schedulesCSC–03 RA–05 Vulnerability Scanning Open source and Appliances * NESSUS, SNORT, OSSIM-like Log Analytics, Alien VaultCSC–03 SI–02 Flaw Remediation Work Order System * Manage Engine Service Desk, CSC–03 SI–04 Information System Monitoring Intrusion Detection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/DCSC–04 Continuous Vulnerability Assessment and Remediation *CSC–04 CA–07 Continuous Monitoring Network Scan * NESSUS, SNORT, OSSIM-like Log Analytics, Alien Vault, SAN File Hash S/W (Proposed)CSC–04 RA–05 Vulnerability Scanning Penetration Testing * NESSUS, SNORT, OSSIM-like Log Analytics, Alien VaultCSC–04 SC–34 Non–Modifiable Executable Programs SCADA PLCs *CSC–05 Malware Defenses *CSC–05 CA–07 Continuous Monitoring Index Hash on applications and files * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/DCSC–05 SI–03 Malicious Code Protection anti-Virus, A/D whitelisting, eMail Filters, Firewall Filters * Kaspersky A/V, MS Active Directory Whitelist Policy fx, Barracuda eMail Filters, SonicWall FirewallsCSC–05 SI–04 Information System Monitoring Intrusion Detection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/D , NESSUSCSC–05 SI–08 Spam Protection eMail Filter * Barracuda eMail Management, Microsoft eMail servicesCSC–06 Application Software Security *CSC–06 RA–05 Vulnerability Scanning Intrusion Detection and Protection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/DCSC–06 SA–13 Trustworthiness Security functionality and c.i.a. assurance * security assurance is a function of small group code auditability & development transparency for conf., Integ., & avail.CSC–07 Wireless Device Control *CSC–07 AC–18 Wireless Access Network Access Control (NAC), Wireless LAN Controller * Packet Fence NAC with Alcatel, Cisco and Apple Access Points; Cisco WLC 4404 & 5508 Wireless LAN ControllersCSC–07 AC–19 Access Control for Mobile Devices Network Access Control (NAC) * Packet Fence NAC with Alcatel, Cisco and Apple Access PointsCSC–07 CA–03 System Interconnections Switch Arch and Fire Walls * Alcatel Switches AOS, SonicWall firewallsCSC–07 CA–07 Continuous Monitoring Network Access Control (NAC), Wireless LAN Controller * Packet Fence NAC with Alcatel, Cisco and Apple Access Points; Cisco WLC 4404 & 5508 Wireless LAN ControllersCSC–07 CM–02 Baseline Configuration Switch Arch and Fire Walls * Alcatel Switches AOS, SonicWall firewallsCSC–07 IA–03 Device Identification and Authentication Network Access Control (NAC), Wireless LAN Controller * Packet Fence NAC with Alcatel, Cisco and Apple Access Points; Cisco WLC 4404 & 5508 Wireless LAN ControllersCSC–07 SC–08 Transmission Confidentiality and Integrity Access Point encryption, Wireless LAN Controller * Alcatel, Apple and Cisco standard encryption sets, Cisco WLC 4404 & 5508 Wireless LAN ControllersCSC–07 SC–40 Wireless Link Protection Network Access Control (NAC), Wireless LAN Controller * Packet Fence NAC with Alcatel, Cisco and Apple Access Points; Cisco WLC 4404 & 5508 Wireless LAN ControllersCSC–07 SI–04 Information System Monitoring Network Access Control (NAC) * Packet Fence NAC with Alcatel, Cisco and Apple Access PointsCSC–09 Security Skills Assessment and Appropriate Training to Fill Gaps *CSC–09 AT–03 Role–Based Security Training SANS, Project and Network Device Specific roles * SANS training 5 years average, Network devices and Appliances (Alcatel, Alien V.),CSET SCADA Project TrainingCSC–09 AT–04 Security Training Records Financial expenditures and c course certifications * HR Travel records; Budget Expenditures for Alcatel,Cisco, Microsoft & Alien Vault products + Linda.com + SANS CSC–09 PM–13 Information Security Workforce designated Security roles - individuals plus I/T staff * Ron Masse - Security Officer, Michael Shekman and Mike Franzo Security Project Management; I/T Tech Staff CSC–09 PM–14 Testing, Training, & Monitoring designated Security roles - individuals plus I/T staff * Ron Masse - Security Officer, Michael Shekman and Mike Franzo Security Project Management; I/T Tech Staff CSC–10 Secure Configurations for Network Infrastructure & Security Devices *CSC–10 AC–04 Information Flow Enforcement Subnet controls * SonicWal Firewalls separating FiberNet subnets and multiple Internet linksCSC–10 CA–07 Continuous Monitoring Appliances and Net Access Controls * NESSUS, SNORT, OSSIM-like Log Analytics, Alien Vault, SAN File Hash S/W (Proposed)CSC–10 CM–03 Configuration Change Control contracted device maintenance release * Alcatel, Cisco, Sonicwall, Alien Vault and Barracuda maintenance schedule releases - plus open source updatesCSC–10 CM–05 Access Restrictions for Change roles responsibility and Vault controlled user id /password * Michael Shekman, Mike Franzo, Ron Masse, Karen Freund and Jack McCoy - roles with equipment and s/wCSC–10 CM–06 Configuration Settings FTP controls * Remote access by systems managers with Configuration control responsibilityCSC–10 SI–04 Information System Monitoring Intrusion Detection and Protection * SysLog Data Base, Alien Vault, SonicWall Fire Wall, Packet Fence Network Access Control, Microsoft A/D & A/VCSC–11 Ports, Protocols, and Services Management *CSC–11 AC–04 Information Flow Enforcement Boundary protection devices * Information flow protections are the province of the city's Firewalls, routers and Barracuda eMail blockingCSC–11 CA–07 Continuous Monitoring Security Assessments reports, actions & milestones * NESSUS, Alien Vault & SysLog Server are the transparent analysis responsibility of 3 people(M.S.,M.F.,& R.M.) CSC–11 CA–09 Internal System Connections placement of monitoring devices and appliances * Firewalls, NESSUS, Alien Vault, OSSEC-like Log analytics are positioned in the subnets promoting accessCSC–11 CM–02 Baseline Configuration Loads for op.sys. & applications with patch status * Components, networks and placements controlled in Tech Support inventory (Manage Engine Service Desk).CSC–11 CM–06 Configuration Settings Most restrictive modes in directory management *CSC–11 SI–04 Information System Monitoring SysLog server captures and Analytics * SysLog Server holds Syslogs from devices and Alien Vault performs analyticsCSC–12 Controlled Use of Administrative Privileges *CSC–12 SI–04 Information System Monitoring Detects Information Systems Attacks * Deploy monitoring appliances (Alien Vault, SysLog Server, NESSUS, sniffers) by authorized personnel (3).CSC–13 Boundary Defense *CSC–13 AC–04 Information Flow Enforcement Boundary protection devices * Guards such as Barracuda, SonicWall fire walls, and Alcatel & Cisco router path control in fiber subnets.CSC–13 AC–17 Remote Access VPN and NAC * remote access is controlled by SonicWall VPN and Packet Fence NACCSC–13 CA–07 Continuous Monitoring Automated support tools for monitoring * Microsoft A.D.,Sonicwall VPN and Packet Fence have individual I/S Staff with security management responsibilityCSC–13 CA–09 Internal System Connections Automated support tools for monitoring * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall firewalls within the fibernet subnets CSC–13 CM–02 Baseline Configuration Automated support tools for Syslogs * Alien Vault, SonicWall Firewall, Packet Fence Network Access Control, collect data for boundary defense forensicsCSC–13 SC–07 Boundary Protection Monitors and controls boundaries on FiberNet subnets * MS / Linux Web Servers and SonicWall Firewalls manage traffic CSC–13 SC–08 Transmission Confidentiality and Integrity Control of information across internal and external nets * Alcatel routing through managed interfaces on the networks. Addresses are not published for external discovery.CSC–13 SI–04 Information System Monitoring Detects Information Systems Attacks * Deploy monitoring appliances (Alien Vault, SysLog Server, NESSUS, sniffers, Sonicwall firewalls).CSC–14 Maintenance, Monitoring and Analysis of Audit Logs *CSC–14 AU–02 Audit Events ICS auditing at system server and firewall level logging * auditable level event list development a function of experience with threats and Alien Vault / NESSUS reportsCSC–14 AU–03 Content of Audit Records Type event, date/time, location, source, outcome,identity * SysLog and detailed privileged commands used by involved identities saved to SysLog Server for forensics CSC–14 AU–04 Audit Storage Capacity reduce the likelihood of capacity being exceeded * Consider the audit and logging scope to size the SysLog Server. CSC–14 AU–05 Response to Audit Processing Failures alert to designated officials to respond * respond e.g. shut down system or overwrite oldest, or stop generating audit log records - depends on C.I.A.CSC–14 AU–06 Audit Review, Analysis, and Reporting look for unusual or inappropriate & adjust levels * make use of near-real-time audit review available from Alien Vault and SysLog ServerCSC–14 AU–07 Audit Reduction and Report Generation perform after-the-fact analytics w/o record destruction * Use analytical Alien Vault and SysLog Server analytics to formulate report and summary for actionsCSC–14 AU–08 Time Stamps Date and time stamp records * reconcile different time stamp sources and error-offsets across recordsCSC–14 AU–09 Protection of Audit Information protect from unauthorized modification; perform backup * back up on system onto a different system than is being auditedCSC–14 AU–10 Non–repudiation use digital signatures, digital message receipts services * save identify, binded information in chain of custody. CSC–14 AU–11 Audit Record Retention for use in after-the-fact investigations and normal admin * Alien Vault useCSC–14 AU–12 Audit Generation auditable event list choices for end user * Alien vault generation for lists CSC–14 AU–13 Monitoring for Information Disclosure monitor use of audit materials for evidence of misuse * Alien Vault and SonicWall firewall and sniffer capabilities availableCSC–14 AU–14 Session Audit Capture/record & view all content related to a user session * Alien Vault and SonicWall firewall and sniffer capabilities availableCSC–14 CA–07 Continuous Monitoring Automated support tool facilities near real-time * Alien Vault, SonicWall firewall, Barracuda eMail filtering and Ethernet sniffer capabilities availableCSC–14 IA–10 Adaptive Identification and Authentication Organization and Public user Authentication * Microsoft Active directory for Authenticated organizational users and Packet Fence registration of public usersCSC–14 SI–04 Information System Monitoring Event monitoring internal & external transactions of interest * Strategic placement of monitoring tools & use of tech (Int.Det- SonicWall/Alien Vault/sniffers, malw. Det. …HTTP ) CSC–15 Controlled Access Based on the Need to Know *CSC–15 SC–16 Transmission of Security Attributes Security attribute Info exchanged between systems * Blocking objects at SonicWall firewalls with access-lists, Barracuda eMail filter blocking, Packet Fence blockingCSC–15 SI–04 Information System Monitoring Monitoring events for system attacks & unauthorized use * Deploy monitoring devices strategically and ad hoc in network perimeters and in suspected security violation areasCSC–16 Account Monitoring and Control *CSC–16 AC–02 Account Management Identify accounts by individual, group, app., use time * Microsoft A.D.,Sonicwall VPN and Packet Fence have individual I/S Staff with security management responsibilityCSC–16 IA–05 Authenticator Management Background and Police security checks; Senior Employees *CSC–16 IA–10 Adaptive Identification and Authentication Non-organizational users / Public identification & auth. * WiFi Self Registration is the only adaptive authentication - IP address and MAC Address w/UserID are loggedCSC–16 SI–04 Information System Monitoring Detects Information Systems Attacks * Deploy monitoring appliances (Alien Vault, SysLog Server, NESSUS, sniffers, Sonicwall firewalls) w/alertingCSC–17 Data Loss Prevention *CSC–17 AC–03 Access Enforcement Enforcement mechanisms * Microsoft A.D.,Sonicwall Firewall and VPN and Packet Fence enforce authorized accessCSC–17 SC–31 Covert Channel Analysis systems management and integrators analysis * I/S Staff and contracted network support review and analyze possibilities of unauthorized cross domain developments CSC–17 SC–41 Port and I/O Device Access systems management and integrators analysis * I/S Staff and contracted network support analyze possibilities of unauthorized port access and pennnitrationsCSC–17 SI–04 Information System Monitoring Detects Information Systems Attacks * Deploy monitoring appliances (Alien Vault, SysLog Server, NESSUS, sniffers, Sonicwall firewalls) w/alertingCSC–18 Incident Response and Management *CSC–18 IR–01 Incident Response Policy and Procedures General information security for the organization * establish security defenses configurations and placements at perimeters and in key subnet areasCSC–18 IR–02 Incident Response Training Threat analysis involving real organization case * respond to reported intrusion exploit by Internet Services Provider shutdown of Internet link

USAC Item 21c - Managed Internal Broadband Services - Version 15.1Procurement Vendor Response

CSC–18 IR–03 Incident Response Testing Surveillance Tools and technology procedures * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–18 IR–04 Incident Handling Preparation, detection, analysis, containment & recovery * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–18 IR–05 Incident Monitoring Preparation, detection, analysis, containment & recovery * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–18 IR–06 Incident Reporting Preparation, detection, analysis, containment & recovery * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–18 IR–07 Incident Response Assistance Tools established for Security Staff and Consultants * Staff reconfigured to 3 people (M.S., M.F., R.M.); Independent consulting RFQ results in 2 available firmsCSC–18 IR–08 Incident Response Plan Establish mandatory configuration for I/T product security * establish security defenses configurations and placements at perimeters and in key subnet areasCSC–18 IR–10 Integrated Information Security Analysis Team Tools established for Security Staff and Consultants * Staff trained to 4 people (M.S., M.F., R.M., J.M.); consulting Request for Quote to assess and pen testCSC–19 Secure Network Engineering *CSC–19 AC–04 Information Flow Enforcement Boundary protection devices * Guards such as Barracuda filters, SonicWall fire wall block, & Alcatel & Cisco router path control in fiber subnets.CSC–20 Penetration Tests and Red Team Exercises *CSC–20 PM–16 Threat Awareness Program Threat analysis involving real organization case * respond to reported intrusion exploit by Internet Services Provider shutdown of Internet link CSC–20 CA–08 Penetration Testing Tools used by Security Staff and Consultants * Staff trained to 4 people (M.S., M.F., R.M., J.M.); consulting Request for Quote to assess and pen testCSC–20 RA–06 Technical Surveillance Countermeasures Survey Surveillance Tools and technology procedures * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–20 SI–06 Security Function Verification verify operation with Staff and Independent Consultants * Staff reconfigured to 3 people (M.S., M.F., R.M.); Independent consulting RFQ results in 2 available firmsCSC–20 PM–06 Information Security Measures of Performance Reports on the results of security measures * NESSUS, Alien Vault & SysLog Server are the analysis technology; SonicWall perimeter firewalls & Packet Fence WiFi subnets CSC–20 PM–14 Testing, Training, & Monitoring Gather information on capabilities levels * Staff trained to 4 people (M.S., M.F., R.M., J.M.); consulting Request for Quote to assess and pen test

* $0 total Bid* Items Bid 1 0 No Bid on asked for items

file: SANS Managed WiFi blank Bid Page - Sorted

Page 1 of 1

Type of Managed Service Agreement

Monthly Recurring Eligible Cost

Monthly Recurring Ineligible Cost

One-time Eligible Cost

One-time Ineligible Cost

Item 21c - Managed Internal Broadband Services - Version 15.1