Bidder Questionnaire

(Attachment A)

BIDDER QUESTIONNAIRE

Part A - GENERAL INFORMATION

1. Contact Information: List the one person who SAWS may contact concerning your bid.

Name:

Address:

City: State: Zip Code:

Telephone No.______Fax No: Email: ______

Printed Name of Contract Signatory: ______

Job Title: ______

2. Is Bidder authorized and/or licensed to do business in Texas?

Yes No If “Yes”, list authorizations/licenses.

3. Where is the Bidder’s corporate headquarters located?

4. Local Operation: Does the Bidder have an office located in San Antonio, Texas?

Yes No If “Yes”, respond to a and b below:

a. How long has the Bidder conducted business from its San Antonio office?

Years ______Months______

b. State the number of full-time employees at the San Antonio office.

5. County Operation: If the Bidder does not have a San Antonio office, does the Bidder have an office located in Bexar County, Texas?

Yes No If “Yes”, respond to a and b below:

a. How long has the Bidder conducted business from its Bexar County office?

Years ______Months______

b. State the number of full-time employees at the Bexar County office. ______

______

6. Provide any other names under which Bidder has operated within the last 10 years.

______

(Attachment B - 1)

PRICING SCHEDULE

For Activity 1

Bidder must provide pricing for ALL services under this Price Schedule.

No / Description / UOM / Quantity / Unit Price / Extended Price
1 / External Vulnerability and Penetration Testing – enterprise network and external facing applications. / lump sum / 1 / $ / $
2 / Internal Vulnerability Scan – enterprise network (wired and wireless) / lump sum / 1 / $ / $
GRAND TOTAL / $

Contractor’s pricing plans and cost of services to be provided will be evaluated and will be a part of determining the overall “Best- Value” Bid.

Pricing shall be enclosed in a separate sealed envelope, marked “PRICING For Activity 1”.

(Attachment B - 2)

PRICING SCHEDULE

For Activity 2

No / Description / UOM / Quantity / Unit Price / Extended Price
1 / SCADA Control system network vulnerability and penetration testing to include the following:
a) Review Security Architecture
b) Review of Security Policies, Procedures and Practices
c) Review of Technical Security Controls and Mechanism
d) Analysis of Findings and Prepare Documentation / lump sum / 1 / $ / $
GRAND TOTAL / $

Contractor’s pricing plans and cost of services to be provided will be evaluated and will be a part of determining the overall “Best- Value” Bid.

Pricing shall be enclosed in a separate sealed envelope, marked “PRICING For Activity 2”.

(Attachment B - 3)

PRICING SCHEDULE

For Activity 3

No / Description / UOM / Quantity / Unit Price / Extended Price
1 / Outdoor wireless vulnerability and penetration testing to include the following:
a) Review Security Architecture
b) Review of Security Policies, Procedures and Practices
c) Review of Technical Security Controls and Mechanism
d) Analysis of Findings and Prepare Documentation / lump sum / 1 / $ / $
GRAND TOTAL / $

Contractor’s pricing plans and cost of services to be provided will be evaluated and will be a part of determining the overall “Best- Value” Bid.

Pricing shall be enclosed in a separate sealed envelope, marked “PRICING For Activity 3”.

(Attachment C)

QUALIFICATIONS

Qualifications

a. Bidder must provide a description of its’ operational structure and operating history, which reflects that it has been actively engaged for a minimum of three (3) consecutive years as a contractor providing the same services as specified in the scope of work on this best value bid.

b. Bidder must also provide information about their company’s core competencies; special recognitions & awards and other information that are relevant to the scope of this best value bid.

c. Bidder must provide comprehensive resumes of the personnel performing the security assessment services including their professional past and current experiences, education, certifications, qualifications, accreditations and other information necessary to be considered as a qualified auditor.

d. Preferred bidder shall be have resources working on the assessment who are certified in one or all of the following as well as demonstrate having necessary subject matter expertise to adequately perform the assessment.

i. CISSP (Certified Information System Security Professional)

ii. GIAC (Global Information Assurance Certification)

iii. CCSP (Cisco Certified Security Professional)

Please check if response is included as a separate document.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment D)

SIMILAR PRIOR EXPERIENCES

Number of years engaged in this type of business. (_____) Years

Similar Prior Experience

1. The bidder must have performed at least five (5) security assessments in the past three (3) years. Please provide the last five (5) assessments performed and the names of the companies served.

2. Bidder must also provide customers reviews or letters that may be helpful in the evaluation process.

3. Bidder must provide documentation of proven track record of providing similar assessments required under this best value bid.

Please check if response is included as a separate document.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment E)

REFERENCES / SIMILAR PRIOR EXPERIENCE

Bidder shall provide at least three (3) quality contact references who is currently or in the past utilizing or utilized same service indicated in the scope of the bid. Please include company name, contact person, phone number, email address and date.

Reference 1
Client Name:
Point of Contact:
Phone Nos. / Fax No.
Email Address: / Mobile No.
Address:
Description:
Reference 2
Client Name:
Point of Contact:
Phone Nos. / Fax No.
Email Address: / Mobile No.
Address:
Description:
Reference 3
Client Name:
Point of Contact:
Phone Nos. / Fax No.
Email Address: / Mobile No.
Address:
Description:

If more space is needed, please provide the information on a separate sheet.

(Attachment F - 1)

PROJECT APPROACH & METHODOLOGY

Activity 1

External Vulnerability and Penetration Testing (enterprise network), Application Vulnerability & Scan (external facing only), and Internal Vulnerability & Scan (enterprise network -wired and wireless

This criterion will measure bidder’s ability and capability in performing the scope of services, cost-effectiveness of service while committing to industry leading quality standards and ability to commit to an accurate and complete assessment through an extensive validation and verification processes, and high quality on-site personnel required under this best value bid. Please provide the following;

1. Brief description of Vendor’s Quality Assurance Methods and Standards.

2. One (1) to Three (3) sample security assessments that were performed in the past three (3) years.

3. Must demonstrate that they are familiar with NIST and NERC compliance requirements.

4. Please acknowledge your organization can provide each of these services and describe how these requirements will be met and what methods and procedure will be taken place.

a) External Vulnerability and Penetration Testing (enterprise network and external facing applications), and Internal Vulnerability & Scan (enterprise network -wired and wireless)

i. Review Security Architecture

ii. Review of Security Policies, Procedures and Practices

iii. Review of Technical Security Controls and Mechanisms

iv. Analysis of Findings and Prepare Documentation

5. Provide follow-up procedure after the assessment.

Please check if response is included as a separate document.

Please check if NO RESPONSE.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment F - 2)

PROJECT APPROACH & METHODOLOGY

Activity 2

SCADA Control system network vulnerability and penetration testing

1. Brief description of Vendor’s Quality Assurance Methods and Standards.

2. One (1) to Three (3) sample security assessments that were performed in the past three (3) years.

3. Must demonstrate that they are familiar with NIST and NERC compliance requirements.

4. Please acknowledge your organization can provide the below service and describe how these requirements will be met and what methods and procedure will be taken place.

a) SCADA Control system network vulnerability and penetration testing

i. Review Security Architecture

ii. Review of Security Policies, Procedures and Practices

iii. Review of Technical Security Controls and Mechanisms

iv. Analysis of Findings and Prepare Documentation

5. Provide follow-up procedure after the assessment.

Please check if response is included as a separate document.

Please check if NO RESPONSE.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment F - 3)

PROJECT APPROACH & METHODOLOGY

Activity 3

Outdoor Wireless Network Vulnerability and Penetration Testing

1. Brief description of Vendor’s Quality Assurance Methods and Standards.

2. One (1) to Three (3) sample security assessments that were performed in the past three (3) years.

3. Must demonstrate that they are familiar with NIST and NERC compliance requirements.

4. Please acknowledge your organization can provide each of these services and describe how these requirements will be met and what methods and procedure will be taken place.

a) Outdoor Wireless Network Vulnerability and Penetration Testing

i. Review Security Architecture

ii. Review of Security Policies, Procedures and Practices

iii. Review of Technical Security Controls and Mechanisms

iv. Analysis of Findings and Prepare Documentation

5. Provide follow-up procedure after the assessment.

Please check if response is included as a separate document.

Please check if NO RESPONSE.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment G)

FINANCIAL INFORMATION

a) Bidder must be financially stable to provide a long-term security advisory role.

b) The bidder must have been in business at least (3) three years under their current DBA name. The bidder must provide a current published financial report or, if privately owned, provide Dun & Bradstreet number.

c) Provide information to assist SAWS in assessing Bidder’s demonstrated capability and financial resources to provide the goods or services described in this Bid. Financial Stability includes the following: The bidder has been in business at least 3 years. The bidder must provide a current audited financial report to include Income Statement, Balance Sheet and Statement of Cash Flow. If privately owned, SAWS reserves the right to accept non audited financial reports as defined above. Written references must be provided if requested by SAWS. Information provided must offer an indication of Bidder’s financial stability, history, and commitment to providing quality services for clients

Please check if response is included as a separate document.

BY: ______

TITLE: ______

FOR: ______

(Name of Firm Submitting Bid)

DATE: ______

(Attachment H)

GOOD EFFORT PLAN

This form must be completed regardless of Contractor’s classification.

Name of the Project:

SECTION A: PROPOSER INFORMATION

Name of Firm:

Address:

City: State: Zip Code:

Contact Person: Telephone:

Email Address: Fax No. :

Is your firm Certified? Yes No If certified, attach copy of Certification Affidavit

Type of Certification: AABE MBE WBE SBE

(See attached definitions)

Prime’s Percent Participation on this Project: %

List ALL SUBCONTRACTORS/SUPPLIERS that will be utilized on this project/contract.

Name & Full Address of Company / Scope of Work/Supplies to be Performed/Provided by Firm / % Level of Participation on this Project / If Firm is Certified, Provide Certification Agency name and attach copy of Certification Affidavit
1.
2.
3.
4.

SECTION B. – SMWB COMMITMENTS

The SMWB goal on this project is 19%

1. The undersigned proposer has satisfied the requirements of the Bid specification in the following manner (please check the appropriate space):

___ The proposer is committed to a minimum of 19 % SMWB utilization on this contract.

___ The proposer, (if unable to meet the SMWB goal of 19%), is committed to a minimum of ______% SMWB utilization on this contract. (If contractor/consultant is unable to meet the goal, please submit documentation demonstrating good faith efforts).

2. Name and phone number of person appointed to coordinate and administer the SMWB requirements on this project.

Name: Title:

Telephone No. :

IF THE SMWB GOAL WAS MET, PROCEED TO AFFIRMATION AND SIGN THE GFEP. IF GOAL WAS NOT MET, PROCEED TO SECTION C.

SECTION C – GOOD FAITH EFFORTS (Fill out only if the SMWB goal was not achieved).

1. List all firms you contacted with subcontracting/supply opportunities for this project that will not be utilized for the contract by choice of the proposer, subcontractor, or supplier. Written notices to firms contacted by the proposer for specific scopes of work identified for subcontracting/supply opportunities must be provided to subcontractor/supplier not less than five (5) business days prior to bid/proposal due date. The following information is required for all firms that were contacted for subcontracting/supply opportunities.

Name & Address of Company / Scope of Work/Supplies to be Performed/ Provided by Firm / Is Firm SMWB Certified? / Date Written Notice was Sent & Method (Fax, Letter, E-Mail) / Reason Agreement was not reached?
1.
2.
3.
4.
5.
6.

(Use additional sheets as needed)

In order to verify a proposer’s good faith efforts, please provide to SAWS copies of the written notices to all firms contacted by the proposer for specific scopes of work identified in relation to the subcontracting/supply opportunities in the above named project. Copies of said notices must be provided to the SMWB Program Manager at the time that the bid is due. Such notices shall include information on the plans, specifications, and scope of work.

3. List all SMWB listings or directories, contractor associations, and/or any other associations utilized to solicit SMWB Subcontractors/suppliers.