BOARD OF COMMISSIONERS
PORT OF NEW ORLEANS
REQUEST FOR QUALIFICATIONS
INFORMATION TECHNOLOGY (IT) CYBERSECURITY
VULNERABILITY ASSESSMENT
DUE BY TWELVE NOON CENTRAL TIME
ON THURSDAY JANUARY 7, 2016
NEW ORLEANS, LOUISIANA
Issue Date: November 23, 2015
Revised Date: December 9, 2015
Table of Contents
Table of Contents ..................................................................................................................... 2
PART I. SUMMARY .............................................................................................................................3
NOTICE OF REQUEST FOR QUALIFICATIONS.................................................................. 3
PART II. GENERAL INFORMATION ......................................................................................................4
INTRODUCTION ...................................................................................................................... 4
SCOPE OF WORK..................................................................................................................... 4
INSURANCE.............................................................................................................................. 5
SELECTION PROCESS AND CRITERIA ............................................................................... 7
COMPENSATION ..................................................................................................................... 7
AUDIT REQUIREMENTS ........................................................................................................ 7
TRANSPORTATION WORKER IDENTIFICATION CREDENTIALS ................................. 7
AFFIDAVITS ............................................................................................................................. 8
PART III. REQUIREMENTS TO RESPOND TO THIS RFQ ...........................................................................8
SUBMITTAL REQUIREMENTS .............................................................................................. 8
SUBMITTAL FORM ................................................................................................................. 8
EVALUATION CRITERIA OF THE RFQ ............................................................................. 12
PART IV. REQUIREMENTS TO RESPOND TO AN RFP IF INVITED...........................................................12
INVITATION TO RESPOND TO RFP ................................................................................... 12
REQUEST FOR PROPOSALS ................................................................................................ 12
Page 2 of 12
PART I. SUMMARY
NOTICE OF REQUEST FOR QUALIFICATIONS
Notice is hereby given that the Board of Commissioners of the Port of New Orleans (Board) is
issuing a Request for Qualifications (RFQ) from firms that are interested in being considered for
award of a contract to perform an Information Technology (IT) cybersecurity vulnerability
assessment with the intent to identify and mitigate potential vulnerabilities in its critical IT
infrastructure. The Board maintains several enterprise and departmental software applications
and platforms managed in-house and on premise. The IT cybersecurity assessment will identify
vulnerabilities in its information technology infrastructure, systems, policies and practices and
develop a prioritized set of actions to mitigate the risks identified.
Interested firms may obtain the RFQ via the Port of New Orleans website at www.portno.com
under the PROCUREMENT page under HOME, then under REQUEST FOR PROPOSALS, or
directly at this website address: http://portno.com/Request-For-Proposals. The RFQ contains
information and instructions on submitting qualifications.
The evaluation of qualifications, issuance of Request for Proposals (RFP), evaluation of
proposals, and award of contract will be scheduled as set forth in the RFQ. All interested
qualified firms are invited to submit their qualifications and that of any sub-consultants proposed
to perform the services outlined in the RFQ. The RFQ describes the evaluation factors that will
be used in recommending firms to receive an RFP. Failure to submit all information required in
the RFQ will constitute a non-response.
A response submittal to this RFQ shall consist of six bound copies furnished in a sealed envelope
or box titled “Request for Qualifications for IT Cybersecurity Vulnerability Assessment”.
Submittals shall be mailed or delivered (no facsimile nor email) to the Board of Commissioners
of the Port of New Orleans, Ms. M. Eileen Pansano, Internal Audit Director, 1350 Port of New
Orleans Place, New Orleans, Louisiana 70130 not later than twelve noon, local time, on
Thursday, January 7, 2016. Deliveries are only accepted Monday thru Friday, excluding
holidays, from 8 a.m. to 4 p.m.
Inquiries regarding this RFQ shall be directed to Ms. Eileen Pansano by email only at
[email protected]
Page 3 of 12
PART II. GENERAL INFORMATION
INTRODUCTION
The federal government, starting with the Presidential Executive Order Improving Critical
Infrastructure Cybersecurity, is taking steps to enhance cybersecurity in U.S. port facilities.
These initiatives will greatly enhance the security and resiliency of this vitally important sector.
Cybersecurity has been identified as a top priority for the Coast Guard, which has responsibility
for maritime Homeland Security.
The Board of Commissioners of the Port of New Orleans (Board) is designated as a political
subdivision of the State of Louisiana and is subject to federal and state laws governing public
entities, including public records laws and the designation of certain classes of information as
Sensitive Security Information (SSI). The Port of New Orleans is a Facility under federal law
that must operate in compliance with the MARSEC security requirements of Title 33 Code of
Federal Register (CFR) 105. One of the MARSEC security requirements is that Facilities must
have a Facility Security Plan (FSP) to protect their Facility at the respective MARSEC
levels. The Board’s IT system and the security camera system are infrastructure which is
included is this FSP.
The Internal Audit Department of the Board is issuing a Request for Qualifications (RFQ) from
firms licensed to do business in Louisiana that are interested in being considered for award of a
contract to perform an IT cybersecurity vulnerability assessment with the intent to identify and
mitigate potential vulnerabilities in its critical IT infrastructure. The Board maintains several
enterprise and departmental software applications and platforms managed in-house and on
premise. The IT cybersecurity assessment will identify vulnerabilities in its information
technology infrastructure, systems, policies and practices and develop a prioritized set of actions
to mitigate the risks identified.
SCOPE OF WORK
The Board will select a qualified consultant on a best value basis using a point-method of award
to undertake a comprehensive IT Cybersecurity Vulnerability Assessment, thoroughly reviewing
the current state of the Port’s information technology security, develop a vulnerability mitigation
plan, and prioritized road map of activities to enhance the Port’s future cybersecurity position.
The consultant’s approach will utilize industry best practice methodologies to ensure a
standardized risk mitigation approach that will offer the highest risk reduction potential. The
approach will complement the ‘Framework for Improving Critical Infrastructure Cybersecurity’
developed by the National Institute for Standards and Technology (NIST) in response to
Presidential Executive Order 13636 (http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf). Additionally, the approach shall consider the OpSec (Operations
Security) Five Step Process (http://www.opsecprofessionals.org/process.html) as it pertains to
Cybersecurity.
The assessment is to include, but not be limited to:
Page 4 of 12
(a) Test for susceptibility to Advanced Persistent Threats (APTs) such as viruses, malware,
Trojan horses, botnets and other targeted attack exploits. Evaluate the Port of New
Orleans’ current threat posture including antivirus and Intrusion Detection and Prevention
(IDP) capabilities.
(b) Review wireless network system components for security vulnerabilities, validating
system specific configurations and known exploits.
(c) Review Marine Security Operations Center (MSOC) for security vulnerabilities,
validating system specific configurations and known exploits.
(d) Validate system-specific configurations and review for known exploits. This includes
firewalls, switches and routers, Microsoft Active Directory, email and file servers, web
servers, wireless routers, VPN, VoIP and CCTV systems.
(e) Assess VoIP network system components for security vulnerabilities, validating systemspecific configurations and reviewing for known exploits.
(f) Review existing IT policies and procedures and make recommendations for changes
and/or additional policy and procedure development.
The overall engagement will be managed by the consultant, with a defined scope, schedule
and budget. Project activities will be appropriately managed, and project risks and task
progress will be formally communicated.
Scope of the project includes the following:
 External Network Vulnerability Assessment and Penetration Testing
o Number of IP addresses in target space(s) – 616
o Number of live hosts – approximately 38
 External Website Vulnerability Assessment and Penetration Testing
o Number of web servers – 10
 Firewall and Router Configuration Reviews
o Number of type of firewalls to be reviewed – 6
O Number of Internet routers to be reviewed – 2
 Wireless Network Assessment and Penetration Testing
o Number of Wireless Networks – 3
o Physical Sites to conduct scanning – 6
o Public Wireless Networks – 2
o Private Wireless Networks – 1
 Marine Security Operations Center (MSOC) Review
o Command Bridge regional situation awareness system
o Security cameras installed around Port properties -230
INSURANCE
Before a professional services contract can be executed and become effective, the consultant and
each sub-consultant shall furnish to the Board's risk manager certificates evidencing that it has
procured the insurance herein required. Current insurance certificates must be provided for the
Page 5 of 12
coverages required herein during the entire term of this contract. For a period of three years after
termination of this contract, the consultant and any sub-consultant providing professional
services, and any other firm as applicable, must carry applicable insurance as outlined below.
All insurance shall be written with insurance companies authorized and licensed to do business
in the State of Louisiana and acceptable to the Board (Best's rating A-, VI, or better). Selfinsurance programs authorized by the Commissioner of Insurance of the State of Louisiana for
workers' compensation insurance are acceptable with the submission of a certified copy of the
consultant’s authority to self-insure.
All insurance required herein shall be primary to any similar insurance that may be carried by the
Board for its own protection.
Except for the workers' compensation insurance and the professional liability insurance, the
Board shall be named as an additional insured on all policies required herein.
All insurance policies required herein, as well as any other insurance carried by the consultant
for its protection or the protection of its property on the contract shall provide that the insurers
waive in favor of the Board any rights of subrogation the said insurers may be entitled to.
All policies required herein shall provide for thirty (30) calendar days’ written notice of
cancellation or material change to be sent to the Board at P.O. Box 60046, New Orleans,
Louisiana 70160 Attention: Risk Manager. For additional information contact the Board’s risk
manager at (504) 528-3273.
All insurance policies herein required shall remain in full force and effect for the duration of this
contract. If any insurance required herein is canceled or materially changed and not immediately
replaced during the term of this contract, the Board reserves the right to purchase insurance at the
expense of the consultant to protect the Board's interest. The furnishing of insurance shall not
relieve the consultant of the responsibility for losses not covered by insurance. The Board makes
no representation or warranty that the insurance the Board requires will be sufficient to protect
the consultant’s interests. The consultant shall be responsible for the full amount of any
deductible associated with any of the insurance policies required herein. A combination of
primary and excess insurance may be used to satisfy the insurance requirements.
The insurance requirements are as follows:
Comprehensive General Liability Insurance – Consultant shall procure and maintain at its
sole cost and expense comprehensive general liability insurance (on an occurrence basis) with
limit of liability of not less than one million dollars ($1,000,000) for all injuries or deaths
resulting to any one person or from any one occurrence. The aggregate limit for products and
completed operations shall be not less than one million dollars ($1,000,000). The limit of
liability for property damage shall be not less than one million dollars ($1,000,000) for each
occurrence and aggregate.
Comprehensive Motor Vehicle Liability Insurance – Consultant shall procure and maintain at
Page 6 of 12
its sole cost and expense comprehensive motor vehicle liability insurance which shall include
hired car and non-ownership coverage with limit of liability of not less than one million dollars
($1,000,000) for all injuries or deaths resulting to any one person or from any one occurrence.
The limit of liability for property damage shall be not less than one million dollars ($1,000,000)
for each occurrence and aggregate.
Workers' Compensation Insurance – Consultant shall procure and maintain at its sole cost and
expense workers’ compensation insurance which will protect it from claims under the Louisiana
Workers’ Compensation Act (LSA 23:1021, et seq.). The limits of liability under the employer’s
liability section of the workers’ compensation policy, as well as both compensation schemes,
shall be not less than one million dollars ($1,000,000).
Professional Liability Insurance –Consultant shall procure and maintain errors and omissions /
professional liability insurance in the amount of one million dollars ($1,000,000) per claim and
two million dollars ($2,000,000) annual aggregate. The insurance shall be in full force and effect
for a period of three years after completion of the project. Such insurance shall be issued subject
to a deductible not to exceed ten thousand dollars ($10,000.00) that will be for the account of the
consultant.
SELECTION PROCESS AND CRITERIA
This RFP is using a two part process. A short list of the three to five top-ranked prime firms will
be developed based on the evaluation of the qualifications submitted for this RFQ. Those
consultants who receive notification of being short-listed will be sent a Request for
Proposal (RFP) as described in Part III herein and will be ranked using criteria as
described for final recommendation.
COMPENSATION
Compensation for services will be based on all inclusive hourly rates for various classifications
of personnel working on a project. Direct costs and sub-consultant costs will be compensated
based on actual invoiced costs with no multipliers. Total contract value will be the final not-toexceed fee negotiated by Board staff, after evaluation of the RFPs.
AUDIT REQUIREMENTS
The selected consultant, and any of its sub-consultants, shall maintain accounting records for
three years, as a condition to the award of this public contract, for the Legislative Auditor of the
State of Louisiana and/or the Board’s auditors to inspect, examine and/or conduct an audit of all
books, accounts and records of firms pertaining to the performance of contractual obligations and
the compensation due to be received under this contract.
TRANSPORTATION WORKER IDENTIFICATION CREDENTIALS
Work within the Board’s terminals and at most other properties, such as the Harbor Police
building, require Transportation Safety Administration Transportation Worker Identification
Credentials (TWIC). Federal regulations require that persons seeking entry to restricted areas
Page 7 of 12
of United States ports must present a valid TWIC card and must maintain possession of the
TWIC at all times in secure port areas. Without a TWIC or an approved Port of New Orleans
authorized TWIC escort, no entry will be allowed into restricted areas. Port personnel will not
be responsible for providing escorting services to any consultants. The Board does not
compensate consultants for obtaining TWIC for its employees and sub-consultants. Processing
for a TWIC can take several weeks, and consultants should ensure that key personnel on the
team have applied for TWIC on Notice of Award of a contract. Entry into the Board’s
administrative headquarters does not require a TWIC card.
AFFIDAVITS
Affidavits will be needed to be executed by the person or firm doing business with the
Board at the time of entering a contract. Refer to the Port of New Orleans website at
www.portno.com under PROCUREMENT under INFORMATIONAL DOCUMENTS under
AFFIDAVITS.
Sub-consultants do not need to provide affidavits to the Board, only the Prime consultant. The
affidavits submitted by the Prime consultant to the Board are due at the time of submitting the
final contract for execution. Consultants should read the affidavits and be aware that they are a
requirement in order to enter into a contract with the Board.
PART III. REQUIREMENTS TO RESPOND TO THIS RFQ
SUBMITTAL REQUIREMENTS
Any prime consultant/team failing to submit any of the information required will be considered
non-responsive. Facsimiles and email submittals will not be accepted.
SUBMITTAL FORM
1. Contract Name:
2. Announcement Date:
3a. Registered Firm Name /
State of Registration
(Note: Louisiana registration
will be required for the
winning bidder)
3b. Name, Title, Telephone
number and email address
of the signing authority
3c. Name, title, telephone
number, and e-mail
address of full-time
professional in charge
IT Cybersecurity Vulnerability Assessment
November 23, 2015
Page 8 of 12
4. List the number and type of
full-time professional
personnel on firm’s
payroll who are likely to
work under the contract.
5. Do you presently have sufficient staff to perform the services to undertake
this work in the next 5 months? (Yes/No)
6. (For use by the prime consultant only)
Do you intend to use a sub-consultant(s) for services? (Yes/No)
If yes in box 6, Identify the element of work and the percent of the contract scope of work to be
performed by each sub-consultant, and if sub-consultant is a certified SBE.
Name and Address of Consultant
(12/2/15 Revision: Sub-consultant information has been modified
for clarity.)
Is sub-consultant a certified SBE?
__________
Expected percentage of contract to be performed ______%
Is sub-consultant a certified SBE?
__________
Expected percentage of contract to be performed ______%
Is sub-consultant a certified SBE?
__________
Expected percentage of contract to be performed ______%
Page 9 of 12
7. Staffing Plan – A Diagram showing all key personnel that would be available for assignment.
These key personnel will be obligated to perform at least 60% of the total effort. The Staffing
Plan should also include the same information for sub-consultants (if applicable).
8. Brief resume of key persons anticipated to work on project (repeat as necessary)
a. Name & domicile
b. Job Title:
c. Name of firm by which employed full time
d. Years experience:
With this firm
With other firms
e. Education: Degree(s) / Years / Specialization
f. Certifications
Page 10 of 12
9. Work by firm which best demonstrates IT Cybersecurity Vulnerability Assessments relevant to
this contract as shown in Box 1 (List no more than 5 projects)
a Project name
& location
b. Project description
c. Nature of firm’s
responsibility & key
personnel involved
d. Owner’s
name, address,
and telephone
number
e. Contract
Completion
Date
10. This is to certify that all information contained herein is accurate and true.
Signature of Authorized Representative (same as 3b) ___________________________________
Date ______________
Page 11 of 12
EVALUATION CRITERIA OF THE RFQ
The general criteria to be used by the Consultant Evaluation Committee in evaluating responses
for the selection of three to five Consultants/Teams to receive an RFP for the contract are:
1.
2.
3.
4.
The described approach and methodology to be used by the respondent
The corporate background, experience, and financial stability
Staffing and support personnel qualifications
Small Business Enterprise (SBE) participation
(12/2/15 Revision: Removed “Cost of proposal” Proposed costs to be included in RFP only.)
The evaluation will be by means of a point-based rating system of the prime consultant/team as a
whole. The Consultant Evaluation Committee will be responsible for performing the above
described evaluation, and presenting a short-list of three to five of the highest rated prime
consultants to the Board’s Chief Operating Officer. These short-listed firms will receive an RFP.
PART IV. REQUIREMENTS TO RESPOND TO AN RFP IF INVITED
INVITATION TO RESPOND TO RFP
Only those firms short-listed by the Consultant Evaluation Committee will receive an
invitation to respond to the RFP for each contract.
REQUEST FOR PROPOSALS
All RFP respondents will be required to submit their response as stipulated in the RFP. There
are three components that will be required to respond to the RFP:
1) A written project proposal which includes a high-level technical description of the
procedures to be used for the project and a description of the deliverables;
2) A Certification Statement; and a
3) Price Proposal in a separate, sealed envelope.
The consultant’s written project proposal, certification statement, fee proposal and any and all
other forms required in the RFP shall be submitted as stated therein. Any consultant/team failing
to submit any of the required information will be considered non-responsive. Facsimiles and
email submittals of the Project Proposal or Fee Proposal will not be accepted. The following
information is required to respond to the RFP, if invited:
1) Written Project Proposal: Six bound sets plus one original. The information should
correspond to the criteria upon which the evaluations will be scored and indicated herein.
2) Certification Statement: Certifies that the proposer has read and understands all
requirements and specifications of the RFP
3) Price Proposal: A schedule based on all-inclusive hourly rates for various classifications
of personnel working on a project. Direct costs and sub-consultant costs will be
compensated based on actual invoiced costs with no multipliers. The contract will be
issued on a not-to-exceed basis.
Page 12 of 12