Request for Proposal Issued August 11, 2017 Table of Contents Page Background I. MARC Organizational Structure and Activities 1 II. Operation Green Light Program Description 2 III. OGL Information Technology (IT) System 2 IV. Current IT Security Efforts 3 V. Objectives 3 Proposed Scope of Services 3 Questions 4 Response Requirements 4 Engagement 5 Anticipated Schedule for Consultant Selection 5 Evaluation Criteria and Weights 5 Contact for Further Information 6 Open Records Act and Proprietary Information 6 Protest Procedures 6 Closing Date and Time for Proposals September 8, 2017, by 4 pm CST Contact Information Ray Webb, Manager of Traffic Operations, rwebb@marc.org
Background I. MARC Organizational Structure and Activities The Mid-America Regional Council (MARC) is the metropolitan planning organization and association of city and county governments serving the bi-state Kansas City region. It is a public, nonprofit agency. MARC serves nine counties with 119 cities, including Cass, Clay, Jackson, Platte and Ray counties in Missouri; and Johnson, Leavenworth, Miami and Wyandotte counties in Kansas. MARC was formed in 1972 and is governed by a 33-member board of directors composed of city and county elected officials. In addition to the board, MARC has dozens of policy, technical and advisory committees and decision-making entities overseeing its work and providing important and diverse stakeholder involvement. This series of committees and working groups enables MARC to engage a diverse array of community interests and representatives from often under-represented constituencies. MARC was formed in response to the increasing demand for regional cooperation. With input from federal, state and local governments, citizens groups and the private sector, MARC serves as a forum for the discussion of various issues including transportation, the environment, public safety and emergency services, early learning, aging services, public health, and community development issues. MARC also provides seminars and training opportunities for local governments and serves as an advocate for the region in the state and federal legislative arenas. MARC s services have expanded over the years and continue to evolve to meet the changing needs of the region. MARC promotes regional cooperation and develops innovative solutions through leadership, planning and action. The Board provides direction and support for committees and related entities comprised of elected officials, federal, state and local government professionals, and representatives of civic partners and institutions, such as non-profit agencies, special districts, colleges and universities, business interests and associations, and citizens. The Board and committee activities are supported by a professional staff headed by an executive director who is appointed by the Board. Staff members are trained in a variety of disciplines, including public administration, economics, urban planning, accounting, social services and public affairs. The staff works in six departments: aging, community development, early learning, research services, financial affairs and transportation. MARC currently has 130+ employees and offers a comprehensive fringe benefit package. MARC services are funded by a variety of sources including contributions by member governments; formula and discretionary grants from Missouri, Kansas, and the federal government; and contributions for specific programs from private foundations and civic organizations. MARC s annual budget is approximately $60 million, with approximately 75 percent from federal grant sources and the remainder from state and local government dollars, private foundation grants and earned income. MARC s financial services department manages over 150 grants at any given time. 1
II. Operation Green Light Program Description Operation Green Light (OGL) is a regional effort to improve traffic flow and reduce vehicle emissions. As part of MARC s transportation department, Operation Green Light works with federal, state and local agencies to develop and implement a system to coordinate traffic signal timing plans and communication between traffic signal equipment across jurisdictional boundaries. MARC staff working in the OGL program provide resources to member agencies in the form of (1) a regional network for traffic signals and other transportation related technology needs, (2) access to a central Advanced Transportation Management System software and associated servers, software, and network equipment, (3) traffic signal programming/operations and data collection services, and (4) other support services as needs arise. The OGL program is under the oversight of the MARC organization as described above as well as the OGL Steering committee which is made up of representatives from each of the OGL-participating member agencies. Currently 24 different cities and states participate in OGL. MARC staff working in the OGL program are housed at the Missouri Department of Transportation Kansas City District office in Lees Summit, MO. III. OGL Information Technology (IT) System MARC maintains a regional IT network to provide applications and services to MARC and member agency staff, as well as authorized consultants and contractors. These applications include TransSuite by TransCore, Security Center by Genetec, as well as web access to various field transportation devices. MARC staff also utilize standard Microsoft Office and other applications on workstations in the office. System users who are not on-site at the OGL office access the OGL applications through the Internet or the OGL Regional network. This includes remotely logging into the TransSuite application server using Microsoft RD Gateway. A small, single access point Wi-Fi network is maintained at the OGL office for staff and visitor use. MARC maintains two Hyper-V host servers for OGL, one is at the office in Lees Summit, and the other is a replication backup maintained at a tower shelter offsite. MARC maintains two Internet connections for OGL, one at each of the two host server locations. The MARC maintained OGL field network consists of wireless and wired backbone links between 16 tower locations as well as interfaces with networks of other agencies who provide backhaul from one part of the city to another when existing network capacity can meet the system needs without MARC building additional infrastructure. The OGL network interfaces with many other networks of area cities and state agencies. The OGL field network extends down to the street level at several hundred signalized intersections through the region. These on-street connections can be both wireless and through fiber-optic cable. The primary connection needed at each intersection s control cabinet is with the Traffic Signal Controller device but other devices, such as surveillance cameras, may also be connected at some locations. 2
MARC s OGL network is well documented and details can be provided during contract development time. IV. Current IT Security Efforts MARC staff and their existing on-call OGL IT Consultant have been working to make the OGL network more secure against threats. The field network, servers and software at the office, as well as the traffic signal controllers must be as protected as possible. The field network has been geographically segmented using layer 3 routing. Staff have configured firewalls at each Internet connection, tower location as well as connections with networks maintained by other agencies. Local agencies who maintain traffic signal cabinets have been strongly encouraged to use padlocks on those cabinets in addition to the cabinet keyed lock. All wireless connections are encrypted. All user accounts having access to the OGL system are required to have strong passwords. V. Objectives MARC is interested in assessing its current OGL IT systems and practices to determine if any improvements can be made to better protect the network integrity, servers, software, and traffic signal controllers from threats. Proposed Scope of Services The consultant shall assess the following, either through directly TESTing or through discussions with MARC staff and REVIEW of documentation: Network resiliency (REVIEW to identify single points of failure for primary and backbone connections) Firewall vulnerability (REVIEW rules of two sample firewalls) Wireless network vulnerability (TEST consumer-grade WiFi at office and TEST one typical proprietary field wireless technology setup) Server vulnerability (TEST against one machine) Workstation vulnerability (TEST against one workstation) Password management vulnerability (REVIEW policy and procedures) Physical field cabinet access vulnerability (REVIEW several sample field cabinet setups and TEST one location) User behavior/procedural vulnerability (REVIEW through phone interview with 5-7 OGL users) The consultant will provide a written report and a presentation of the process and findings to selected key MARC staff and OGL Steering Committee members. The report will address the following: Specific recommendations for each area of vulnerability along with an implementation cost estimate, if any, of recommended solutions. Immediate response reports for critical discoveries. Prioritization of remaining discoveries with a roadmap for remediation. Definition of any risks associated with the remediation of the vulnerabilities. Recommended tools, procedures or policies. The Consultant shall adhere to the following restrictions in the performance of the Scope of Work: No denial of service tools/techniques shall be used as part of any assessment. 3
No footprint of penetration shall be left behind. MARC has budgeted $25,000 for the scope of services. It is anticipated that the consultant should be able to complete the project within a 60-day timeframe. A consultant located outside the Kansas City region may work remotely using Conference calls, Skype or Go to Meeting technologies however there will be a need to be in Kansas City for a limited number of meetings at MARC and/or the OGL program offices. Questions All questions regarding this Request for Proposals (RFP) should be directed to Ray Webb by email at rwebb@marc.org by August 22, 2017. Responses to questions will be provided to all interested parties by August 28, 2017. Response Requirements Responses to this Request for Proposals should be directed to Ray Webb NO LATER THAN 4 p.m. CST on September 8, 2017. Responses may be mailed or delivered in electronic format (PDF limited to approximately 15Mb) to Ray Webb at rwebb@marc.org. Note: It is the responsibility of the consultant to verify the receipt of proposals by MARC staff as there is always the possibility of emails getting blocked by MARC s firewall/spam filter. The following items should be addressed in your response. 1. Identification Information: Name of Key Contact Person Organization Name Address Phone Number Email Address 2. Background of the Individual and/or Organization Offering Consulting Services. Provide information on the individual s or organization s background, including experience, education and skills necessary to perform the required work. If multiple individuals will be assigned to the MARC project, please include a brief (no more than 1 page) resume for key staff assigned to support this project. Indicate specific credentials that make an individual(s) and/or organization well suited to meet MARC s requirements for this project. 3. Experience with Similar Engagements. Provide a description of experience on projects with other clients similar to the work that MARC is requesting. 4. References for Similar Projects. Provide three references of clients (key contact information) where similar services to those requested in this RFQ were offered and/or where knowledge of skills would be known. 4
5. Detailed Project Plan. Provide a detailed project plan, outlining the tasks that will be completed along with the deliverable schedule. Include the estimated timeframe for the review and completion of written report. 6. Proposed Hourly Fees and Total Project Fee. Provide the hourly billing rates for each individual that would be assigned to the MARC project along with the estimated hours and total fee proposed for this project. Engagement This Request for Proposal does not commit MARC to award a contract or to pay costs incurred in the preparation of a proposal in response to this request. MARC reserves the right to accept or reject any or all responses received as a result of this request if it is considered in the best interest of MARC. MARC may require the proposer selected to participate in negotiations, and to submit such price, technical or other information as may be needed to finalize a particular engagement for services. Anticipated Schedule for Consultant Selection The following schedule will be used for the selection of a consultant. Issue Request for Proposals August 11 Deadline for Questions and Requests for Further Information August 22 Responses to Questions August 28 Deadline for Proposals (submitted by email to September 8, 2017, by 4 pm CST, rwebb@marc.org) Select Preferred Consultant Week of September 11, 2017 Finalize Agreement and Issue Notice to Proceed Estimated within two weeks following selection Evaluation Criteria and Weights The proposals submitted by each consultant will be evaluated according to the following factors: 1. Specialized experience and technical competence of the consultant and assigned staff relative to the scope of work and task requirements outlined in this RFP (50 points) a. Experience of the project manager b. Amount of dedicated time of key staff allocated to the project c. Experience of other assigned individuals 2. Understanding the nature of the project (30 points) a. Understanding the proposed scope of work b. General understanding of the regional significance of the project c. General organization and clarity of the proposal 3. References reflecting previous work experience of the project team and satisfactory accomplishment of responsibilities (20 points) (minimum of three verifiable references) a. Quality of final product b. Ability to meet work schedules c. Responsiveness to client input 5
Contact for Further Information For further information about this RFP, contact Ray Webb, PE, Manager of Traffic Operations, at rwebb@marc.org. Open Records Act and Proprietary Information The Mid-America Regional Council (MARC) is a public organization and is subject to the Missouri Open Records Act (Chapter 610, RSMo). All records obtained or retained by MARC are considered public records and are open to the public or media upon request unless those records are specifically protected from disclosure by law or exempted under the Missouri Sunshine Law. All contents of a response to a Request for Bids, Qualifications, Proposals or information issued by MARC are considered public records and subject to public release following decisions by MARC regarding the bid request. If a proposer has information that it considers proprietary, a bidder shall identify documents or portions of documents it considers to contain descriptions of scientific and technological innovations in which it has a proprietary interest, or other information that is protected from public disclosure by law, which is contained in a Proposal. After either a contract is executed pursuant to the Request for Bids, RFQ or RFP, or all submittals are rejected, if a request is made to inspect information submitted and if documents are identified as Proprietary Information as provided above under Missouri Sunshine Law, MARC will notify the proposer of the request for access, and it shall be the burden of the proposer to establish that those documents are exempt from disclosure under the law. Protest Procedures In the course of this solicitation for proposals and the selection process, a proposer (bidder of offer or whose direct economic interest would be affected by the award of the contract) may file a protest when in the proposer s opinion, actions were taken by MARC staff and /or the selection committee which could unfairly affect the outcome of the selection procedure. All protest should be in writing and directed to Mr. David Warm, Executive Director, Mid America Regional Council, 600 Broadway, Suite 200, Kansas City, MO 64105. Protest should be made immediately upon occurrence of the incident in question but no later than three (3) days after the proposer receives notification of the outcome of the section procedure. The protest should clearly state the grounds for such a protest. Upon receipt of the protest, MARC s Executive Director or his assigned will review the actual procedures followed during the selection process and the documentation available. If it is determined the action(s) unfairly changed the outcome of the process, notifications with the selected proposer will cease until the matter is resolved. 6