REQUEST FOR PROPOSALS (RFP) 15378A FOR DENVER WATER S Information Technology Third Party Patch Management Software Issue Date: March 4, 2014 Proposal Due Date: Tuesday, March 18, 2014 by 11:00 AM Mountain Time to: Denver Water Purchasing & Contracting Attention: Yua Her/ RFP No. 15378A 1600 West 12 th Avenue, Building 12 Denver, CO 80204-3412 To be considered for selection, a duly authorized agent of the Proposer must complete and sign this page and submit it with the Proposal. Signature below indicates that the Proposer has read and understands the requirements set forth in this Request for Proposals. Proposer s Business Name: By / Title: Duly authorized agent s name and title must be typed or clearly written Signature: Date: E-mail: Phone: Fax No.: Business Address:
SOLICITATION INTRODUCTION: The City and County of Denver, acting by and through its Board of Water Commissioners (also Denver Water and the Board ), is issuing this Request for Proposal ( RFP ) for third party enterprise patch management software. The Board is seeking Proposals from qualified Proposers who have specific experience in the area(s) identified in this RFP. To be eligible for consideration, the Proposer must be capable of meeting all requirements specified in this RFP. SCHEDULE OF EVENTS*: RFP Issued Tuesday, March 04, 2014 2:00 P.M. Deadline to Submit Intent to Propose via e-mail to: Monday, March 10, 2014 11:00 A.M. Deadline to Submit Requests for Monday, March 10, 2014 11:00 A.M. Clarification and Additional Information Anticipated Response to Written Thursday, March 13, 2014 1:00 P.M. Requests for Clarification and Additional Information Proposal Due Date Tuesday, March 18, 2014 11:00 A.M. Anticipated Video Conference Interviews Monday April 10, 2014 and Product Demonstrations Anticipated Proposal Selection Monday, April 21, 2014 *All dates are tentative and subject to change and/or cancellation at Denver Water s sole discretion. Denver Water will notify potential Proposers of any and all necessary changes and/or cancellations via written addendum. All times included on this Schedule of Events are Mountain Time. 15378A RFP Page 2 of 14
TABLE OF CONTENTS SECTION 1 GENERAL INFORMATION 4 1.1 INTRODUCTION TO DENVER WATER: 4 1.2 INTENT TO PROPOSE 4 1.3 SOLICITATION DOCUMENTS AND ADDENDA 4 1.4 ADDENDA 4 1.5 PROPOSAL PREPARATION COST 4 1.6 ACCEPTANCE 4 1.7 WITHDRAWAL OR MODIFICATION OF PROPOSALS 4 1.8 RIGHT TO REJECT PROPOSALS 5 1.9 RIGHT TO NEGOTIATE 5 1.10 SAMPLE AGREEMENT 5 1.11 AGREEMENT TERM 5 1.12 AGREEMENT PRICING 5 SECTION 2 INSTRUCTIONS FOR RESPONDING TO RFP 6 2.1 REQUESTS FOR CLARIFICATION AND ADDITIONAL INFORMATION 6 2.2 PROPOSAL DUE DATE 6 2.3 PROPOSAL SUBMISSION 6 2.4 PROPRIETARY OR CONFIDENTIAL INFORMATION 6 SECTION 3 EVALUATION AND SELECTION PROCESS 8 3.1 AGREEMENT REQUIRED 8 3.2 EVALUATION AND SELECTION PROCESS 8 3.3 INTERVIEWS/SHORT LIST/SITE VISITS/PRESENTATIONS 8 SECTION 4 PROJECT DESCRIPTION 9 4.1 BACKGROUND 9 4.2 SCOPE OF WORK 9 SECTION 5 PROPOSED PRICING / FEE SCHEDULE 10 5.1 PROPOSED FEE SCHEDULE FORMAT 10 SECTION 6 COMPLETION OF PROPOSAL 11 6.1 REQUIRED PROPOSAL FORMAT 11 EXHIBIT A- REQUIRED SUBMISSION INFORMATION 13 15378A RFP Page 3 of 14
SECTION 1 GENERAL INFORMATION 1.1 INTRODUCTION TO DENVER WATER: Denver Water is a municipal corporation and a political subdivision of the State of Colorado, under the control of a five-member Board appointed by the Mayor of Denver. As such, it is governed by the Denver Charter and other laws applicable to governmental entities. The Denver Charter grants the Board all the powers of the City and County of Denver including those granted by the Constitution and by the law of the State of Colorado and by the Charter. Specifically, the Charter gives the Board complete charge and control of a water works system and plant for supplying the City and County of Denver and its inhabitants with water for all uses and purposes. It is the largest municipal public utility in Colorado, serving water to more than one million people, about one-quarter of the state s population. 1.2 INTENT TO PROPOSE: Interested parties should submit their intent to propose via e-mail to the Contract Specialist at yua.her@denverwater.org, including the following information for RFP communication purposes: Proposer s business name Contact name and title Contact e-mail address Contact phone number 1.3 SOLICITATION DOCUMENTS AND ADDENDA: Potential Proposers should obtain all relevant documents pertaining to this solicitation and all issued addenda from the Rocky Mountain E-Purchasing System website at www.rockymountainbidsystem.com. 1.4 ADDENDA: In the event it becomes necessary to revise, change, clarify, provide additional information about, and/or cancel this RFP, Denver Water will issue a written addendum. It is the sole responsibility of the Proposer to attach to its Proposal(s) a signed copy of all addenda. 1.5 PROPOSAL PREPARATION COST: Denver Water will not be responsible for any costs incurred by Proposers in the preparation of Proposals. All costs, including but not limited to printing, materials, travel and expenses, incurred in the preparation and submission of a Proposal must be borne solely by the Proposer. 1.6 ACCEPTANCE: By submitting a Proposal in response to this RFP, Proposer acknowledges that its Proposal is valid for a period of 90 calendar days from the Proposal due date. 1.7 WITHDRAWAL OR MODIFICATION OF PROPOSALS: Proposals may be withdrawn or modified by Proposers prior to the Proposal due date, but only upon written request. After the Proposal due date, Denver Water will not return Proposals or other information supplied to Denver Water. 15378A RFP Page 4 of 14
1.8 RIGHT TO REJECT PROPOSALS: The Board may choose to reject any or all Proposals, either in whole or in part, and to waive any formality in Proposals received, if deemed in the best interest of the Board. Basis for rejection may include but is not necessarily limited to the following: Any Proposal conditioned upon the Board s acceptance of terms and conditions deemed by the Board to be unacceptable. Any Proposal from a Proposer who is in arrears to the City and County of Denver or the Board upon debt or contract, or who is a defaulter as surety or otherwise, upon any obligation to the City and County of Denver or the Board. Any Proposal from Proposers determined to be financially unable to perform the required work. This determination will be at Denver Water s sole discretion and may be based upon analysis of the Proposer s Certified Financial Statements, Dun and Bradstreet reports, and/or other requested financial information. Any Proposal received after the specified Proposal due date and time. Any Proposal so received may be returned to the Proposer unopened. Any Proposal that does not meet the requirements specified in this RFP and/or has been determined to be unsatisfactory, in whole or in part, by Denver Water at its sole discretion. 1.9 RIGHT TO NEGOTIATE: Denver Water may select one or more Proposals, and may negotiate any and all elements of a Proposal, if deemed to be in the best interest of Denver Water. 1.10 SAMPLE AGREEMENT: The selected Proposer will be required to sign a Denver Water Agreement. A sample of this Agreement is attached as a separate document, Exhibit B, and is subject to Denver Water s revision. Any and all modifications and/or exceptions to the terms and conditions contained in this sample Agreement must be clearly marked on Proposer s official company letterhead and submitted with the Proposal under Tab 8. A Proposal with modifications and/or exceptions to the terms and conditions contained in this sample Agreement may be rejected. 1.11 AGREEMENT TERM: Denver Water expects the term of the resulting Agreement to be three (3) years, commencing on the date the Agreement is executed by the Board, subject to extension as provided herein. The Agreement may be extended up to two additional one (1) year terms resulting in a five year contract based on satisfactory performance. 1.12 AGREEMENT PRICING: Pricing submitted with the Proposal must be as specified in Section 5 Proposed Pricing / Fee Schedule and may be incorporated in whole or in part into the resulting Agreement. 15378A RFP Page 5 of 14
SECTION 2 INSTRUCTIONS FOR RESPONDING TO RFP 2.1 REQUESTS FOR CLARIFICATION AND ADDITIONAL INFORMATION: All requests for clarification or additional information must be made in writing to the Contract Specialist at the e-mail address shown below: Contract Specialist: Yua Her E-Mail: yua.her@denverwater.org Phone: (303) 628-6361 The Denver Water Contract Specialist listed above is the sole point of contact between Denver Water and all Proposers. Proposers may not contact any other Denver Water personnel regarding this RFP during the RFP process without prior written authorization from this Contract Specialist. Responses to requests for clarification and additional information and/or changes to the RFP received before the deadline specified in the SCHEDULE OF EVENTS will be made by written addendum. All responses to requests for clarification and additional information from any Proposer will be provided to all Proposers. Oral explanations, interpretations or representations given by Denver Water employees cannot be construed as a change to the RFP requirements. 2.2 PROPOSAL DUE DATE: Proposals must be received no later than the deadline specified in the SCHEDULE OF EVENTS at the address listed below. 2.3 PROPOSAL SUBMISSION: Proposer must submit one (1) original Proposal, clearly marked, two (2) copies, and one (1) electronic copy on CD or flash drive. Proposals, including electronic copy, are to be in either a sealed envelope or box, labeled with the RFP number and name, and addressed as indicated below. Denver Water will not be responsible for any Proposal not addressed as indicated below. Proposals may be mailed or hand-delivered. Proposals sent via electronic method such as e- mail or fax will not be accepted. Submit Proposals to: Denver Water Purchasing & Contracting Attention: Yua Her / RFP No. 15378A 1600 West 12 th Avenue, Building 12 Denver, CO 80204-3412 2.4 PROPRIETARY OR CONFIDENTIAL INFORMATION: Proposers acknowledge that Denver Water may be required to disclose any or all of the documents submitted with a Proposal, pursuant to the Colorado Open Records Act, C.R.S. 24-72-201.1, et seq. Under C.R.S. 24-72-204(3)(a)(IV), Denver Water may deny inspection of any confidential commercial or financial information furnished to Denver Water by an outside 15378A RFP Page 6 of 14
party. Therefore, a Proposer must clearly designate any documents submitted with its Proposal that the Proposer deems proprietary or confidential, to aid Denver Water in determining what must be disclosed in response to a request for documents under the Colorado Open Records Act. The Proposer s designation of material as confidential must be reasonable or it will not be honored. For example, a Proposer may not designate the entire Proposal to be confidential and proprietary. 15378A RFP Page 7 of 14
SECTION 3 EVALUATION AND SELECTION PROCESS 3.1 AGREEMENT REQUIRED: This RFP is not a contractual offer. Any Proposer selected in response to this RFP will be required to execute an Agreement with Denver Water. 3.2 EVALUATION AND SELECTION PROCESS: Proposals will be evaluated by criteria described in this RFP. Proposals considered responsive will be evaluated for completeness of information provided, the Proposer s adherence to RFP requirements, support for claims made, and the overall approach taken. Denver Water s objective is to select the Proposal(s) judged to be in the best interest of Denver Water. Proposals may be evaluated using criteria including but not limited to: Understanding of the work to be performed Proposal pricing Robustness of Proposer s third party product/application catalog Compliance with National Institute of Standards and Technology (NIST) Special Publication 800-40 version 2.0 recommendations and standards Software quality and features Any Other Relevant and Appropriate Factors as Deemed by Denver Water This list does not reflect or imply any weighting or relative importance of criteria. While price may be a consideration, the Board is not bound to accept the lowest-priced Proposal. 3.3 INTERVIEWS/SHORT LIST/SITE VISITS/PRESENTATIONS: Denver Water may request interviews, oral or visual presentations, product demonstrations, and/or the opportunity to ask additional questions of Proposers as deemed necessary during the evaluation process. Denver Water may require additional information from Proposers after the Proposal due date as necessary to complete the evaluation process. 15378A RFP Page 8 of 14
SECTION 4 PROJECT DESCRIPTION 4.1 BACKGROUND: Denver Water is seeking proposals from qualified vendors to provide third party enterprise patch management software and annual maintenance and support as described below. Denver Water has approximately 1,500 clients which includes desktops, laptops, and tablets. The third party enterprise patch management software will integrate with Microsoft System Center Configuration Manager 2012 and Windows Server Update Services. The Proposer s third party product/application catalog must be robust and provide comprehensive patching solutions for both common and uncommon software applications. 4.2 SCOPE OF WORK: The successful Proposer will provide the following to Denver Water: 1. Third party enterprise patch management software and license for up to 1,500 clients. 2. Annual maintenance and product support throughout the term of the contract. 3. Distribute vulnerability and remediation information to Denver Water s system administrator(s). 4. All Software terms and conditions (End User License Agreement [EULA], etc.) must be supplied and agreed to prior to the execution of this agreement. The software must meet the recommendations of the NIST Special Publication 800-40, Version 2.0 and include the following minimum features: a. Vulnerability assessment scanning and reporting to identify vulnerabilities associated with patches and risks to unpatched clients. b. Ability to proactively prevent security threats and ease patch operations without manual intervention. c. Ability to build custom updates if needed. d. Ability to choose and edit or customize patches. e. Support utilities built in the application console. f. Ability to rollback/uninstall updates. g. Timely releases of updates. Fast response time for vulnerability and patch creation. h. Vendor tested updates. i. Interoperability with the U.S. government vulnerability and patching resources and standards. j. Notification tools. k. Monitor security sources for vulnerability announcements, patch and non-patch remediation, and emerging threats that correspond to the software within Denver Water s system inventory. l. Prioritize the order in which the Denver Water addresses remediating vulnerabilities. m. Create a database of remediation that need to be applied Denver Water. n. Conduct testing of patches and non-patch remediation. o. Perform automated deployment of patches to IT devices using enterprise patch management tools. 15378A RFP Page 9 of 14
SECTION 5 PROPOSED PRICING / FEE SCHEDULE 5.1 PROPOSED FEE SCHEDULE FORMAT: Proposers must submit pricing similarly to the sample template given below that include all perpetual and/or subscription license options and fees, annual maintenance and support fees, and any installation and training fees that may be recommended or required to fully implement and operate the software application. Each fee must be listed as a separate line item. Additional information other than that listed may be provided, although Denver Water encourages Proposers to attempt to align their proposals as closely as possible to the template provided. Proposers must submit price proposals that cover the duration of the resulting contract period (a minimum of 3 years). Price proposals must consider any desired increases which are to be considered a pass-through cost to Denver Water. Fee Description Number of Clients Software License 1,500 Type of License: Perpetual/ Subscription First Year Rate Second Year Rate Third Year Rate Annual Maintenance and Support 1,500 1,500 1,500 1,500 15378A RFP Page 10 of 14
SECTION 6 COMPLETION OF PROPOSAL 6.1 REQUIRED PROPOSAL FORMAT: Proposals must conform to the following format. The extent to which Proposers follow these instructions is relevant as part of the evaluation process. The Proposal must conform to the following submission format and each tab must be clearly marked as indicated below: Tab 1 Cover Letter Tab 2 Proposer Introduction Tab 3 Understanding of Work Tab 4 Proposal Rates Section 5 Proposed Pricing / Fee Schedule Tab 5 Small Business Enterprise / Minority and Women Business Enterprise Status Tab 6 Other Required Submission Information Tab 7- Proposer s End User License Agreement Tab 8- Exceptions to Denver Water s Terms and Conditions contained in Exhibit B Sample Agreement Tab 1 Cover Letter: Proposer must submit a cover letter of no more than one (1) page printed on Proposer s letterhead. The letter must be signed by a duly authorized agent of the Proposer. Tab 2 Proposer Introduction: Proposer must submit information about the Proposer s experience and background. Include complete information regarding experience with this type of work, number of years in business, number of employees, etc. Also include a main point of contact for all RFP correspondence, including name, title, phone number and e-mail address. This section must be no more than two (2) pages in length. Tab 3 Understanding of Work: Proposer must provide a brief narrative of understanding of the project and the key issues involved. This section must be no more than four (4) pages in length. Tab 4 Proposal Rates: Proposer must include proposal rates as specified in Section 5 Proposed Pricing / Fee Schedule. Tab 5 Small Business Enterprise (SBE) / Minority and Women Business Enterprise (MWBE) Status: Denver Water has SBE and MWBE programs that are described on our web site. Proposers should include relevant SBE and MWBE information at this Tab. Tab 6 Other Required Submission Information: Proposers must respond to questions located in Exhibit A: Required Submission Information. Tab 7- Proposer s End User License Agreement Proposers must insert a copy of all licensing terms and conditions in this section. 15378A RFP Page 11 of 14
Tab 8- Exceptions to Denver Water s Terms and Conditions contained in Exhibit B Sample Agreement Exhibit B Sample Agreement is included as a separate document. Proposer shall review Exhibit B and submit a letter signed by an authorized agent of the Proposer stating that, if selected, it intends to comply with all terms and conditions contained in Exhibit B. This signed letter must be submitted with the Proposal in Tab 8. If Proposer takes exception to any of the terms and conditions in Exhibit B Sample Agreement, the Proposer shall instead submit a letter signed by an authorized agent of the Proposer that indicates that exceptions are being taken. Additionally, the Proposer must include a list of each exception, including page number, paragraph number, and sentence number from the Sample Agreement along with proposed modified verbiage. Please note that the project schedule is such that it requires an extremely efficient proposal review and negotiation period. Any Proposal that does not conform to the requirements described here in Tab 8 may be considered non-responsive. 15378A RFP Page 12 of 14
EXHIBIT A- REQUIRED SUBMISSION INFORMATION This section addresses information necessary to gain a full understanding of the Proposer s product and capability to provide maintenance and support. In making its evaluation of the responsiveness of the Proposal, Denver Water will place considerable emphasis on all of the answers to the following listed questions. The quality and detail of responses will figure significantly in the overall evaluation of proposals. Proposers are encouraged to give examples and provide additional information to support capabilities on each point. In an effort to standardize the format of all proposals, responses should be provided to all items in the order given. Please list each item number, and restate the question prior to the response. Patch Management Software Quality and Features 1) How does your organization comply with NIST and industry recommendations and standards? 2) What is required for a seamless transition to your patch management product? 3) What hardware/software requirements are needed for product installation? 4) Describe the software s ability to interface with Microsoft System Center Configuration Manager 2012 and Windows Server Update Services. 5) Describe the software s ability to apply to other operating systems and devices. 6) Timely patching is critical to maintaining the operational availability, confidentiality, and integrity of IT systems. New patches are released daily. How does the organization keep abreast of all the new patches and ensure proper deployment in a timely manner? 7) What is your organization s systematic, accountable, and documented process from the phase/step of managing exposure to vulnerabilities through the deployment of patches? 8) Most major attacks target vulnerabilities for which patches existed before the outbreaks. After a patch is released, what is the process and timeframe to prioritize, obtain, test, and deploy a patch? a) How is your customer s vulnerability reduced during this period? 9) Not all vulnerabilities have patches, what are other methods of timely remediation that you have recommended or can offer to reduce the risk of exploitation? a) How are risks communicated to your customers? 10) How do you research, script, package, and test the effectiveness of the patching program prior to deployment? What metrics are considered for that purpose? 11) Describe the application s ability to perform software inventory management. 12) Describe the administrator(s) ability to control the deployment process and choose appropriate patches for installation. 13) How do you handle updates to your product? How are your customers informed of updates? Catalog and Customer Base 1) How do you evaluate which vendors or products are added to your third party product/application catalog and remain current with industry standards? In your response, include how often your catalog is updated. 2) Provide a link for your catalog of third party products supported by the patch management application or a PDF in your electronic proposal. At minimum, the catalog must include software vendor, product, and version. 15378A RFP Page 13 of 14
3) What type of organizations use your product? Provide the size of the organizations in your response. 4) How many customers have implemented the version of your application as proposed to Denver Water in this RFP? 5) What experience do you have working with utilities or government organizations? Customer Service 1) Describe your process and timeline for distributing vulnerability and remediation information to customers. 2) What mitigation support do you provide customers to resolve security issues caused by unsuccessful or ineffective patches? 3) Describe how you provide annual maintenance and support and what is included in this service. a) What is excluded from this annual service? 4) How many staff provide maintenance and support? 5) What is your average response time to customers? 6) What are the hours of operation for support? Budget 1) How is price impacted if there is an increase/decrease to the number of clients? 2) How do product updates impact the fee structure? 3) The successful proposer will be awarded a multi-year contract with Denver Water. What cost savings are available to a multi-year customer? 15378A RFP Page 14 of 14