Loading...
Skip to main content
PhoneCall Us: (800) 964-6379 / (613) 727-4900 (local) HelpHelp (opens in a new window) FR AvatarLogin
Login Window
Forgot your password?

0629005-19 - RFP - Threat Driven Risk Assessment - NB

This solicitation is CLOSED

Basic Information

Reference Number

NB-0629005-19

Issuing Organization

Government of New Brunswick

Solicitation Type

ITT - Invitation to Tender (Formal)

Solicitation Number

0629005-19

Title

RFP - Threat Driven Risk Assessment - NB

Source ID

NEW_BRUNSWICK

Details

Location

New Brunswick

Dates

Publication

2019/01/06 11:00:00 PM EST

Closing Date

2019/02/04 08:05:00 AM EST

Contact Information

Tyler Sarchfield

1 (506) 453-4122


Description

This procurement is subject to the provisions of the Canadian Free Trade Agreement, the Atlantic Procurement Agreement and the Quebec-New Brunswick Procurement Agreement.

No totals required.

PROFESSIONAL, ADMINISTRATIVE AND MANAGEMENT SUPPORT SERVICES



***** Amendment # 3 *****

This tender solicitation has been cancelled in its entirety.

***** Amendment # 2 *****

This document has been amended to answer the following vendor questions. All other information remains the same:

1. Would any work streaming from the assessment require to go through a similar RFP and bidding ?

Answer: Depending on the final report from the winning vendor, follow-up work might be required.If we have tools in place to meet recommendation from the vendor or we have staff that can meet the need, then nothing will occur. If not, the typical approach is to RFP for additional support.

2. Could you please clarify your expectations regarding the "completeness and effectiveness of your controls to include in the report of the risk assessment"? - see section 6.2.1.

Most risk assessment methodologies typically do not include an assessment of the completeness and effectiveness of controls, but they allow to verify if each control which is applicable to your threat scenarios does/doesn't exist on your Information System. The completeness and effectiveness of controls typically are assessed during audits (not assessments).

Answer: It would be better to focus on the "evidence of our current security posture" statement. With this in mind the completeness concept should help us to understand if what the vendor considers the best series of controls has been implemented. The effectiveness of these controls would strive to identify weaknesses in the current controls and opportunities for improvement.

3. The section 6.2.2 indicates that the final report should include several elements such as :
# "detection capability : the ability of a network's protective measures to detect and alert for all potential threats represented by the scenarios employed"
# "operational response : the ability of a network's security personnel to identify and react to malicious traffic or anomalies generated by the various scenarios"
# "overall : An assessment of the system's health and maturity based on the results of the previous four ratings"
# the operational response and the detection capability are assessed through a penetration test. The overall capability indicates that you expect that our works include an assessment of the maturity.
Question: Please could you confirm whether a penetration test is also expected on top of the maturity assessment and risk assessment ?

Answer:The RFP response should recommend how the 6.2.2 report elements can be accomplished in a cost effective manner. Given that this is an overall assessment of our corporate network components we are leaving it to the vendor to recommend what they feel is appropriate in the way of risk assessment and penetration test scenarios for generating evidence that will "provide senior leaders within GNB a better understanding of our current cyber security exposure".


4. The section 7.2.3 project plan indicated the detailed project plan expected and we noted that it should include the following :
o "An overview of the types of simulation being proposed, an estimate of assets that may be assess in each simulation, and an explanation of what each simulation should reveal. Note for consideration : the quality of the assessment types proposed is as important to GNB as the quantity if assessments proposed."
o Question: in the section 7.2.3, while the wording is not clearly stating it, it looks like you are referring to a tabletop exercise. Is that the case?

Answer: The RFP was carefully worded to give vendors an opportunity to propose the approach that they feel will best provide evidence of our current corporate security posture. As such we have attempted to avoid specifics on how to approach the project or limitations on how the vendor can complete their assessment. As such, a table top exercise has not been specifically asked for, nor has it been ruled out as a method of data capture.

o Question: In section 7.2.3, we understand that the vendor should suggest different assessment types to meet your expectations (rather than just a threat driven risk assessment, as the title of the RFP might suggest). Please could you confirm our understanding?

Answer: The title of "Threat Driven Risk Assessment" seemed the best choice for introducing the topic in a way that is most comprehensible for our business leadership. Each vendor should provide a recommendation on how they plan to meet our overall RFP needs, not just the RFP title. We will evaluate each vendor approach against our requirements as outlined in the evaluation table, including the proposed vendor costs.


***** Amendment # 1 *****

This document has been amended to answer the following vendor question. All other information remains the same:

Q1. Can you describe the type of devices we would see in each network segment:
o End user segments(both wired and wireless networks)
o Departmental server segment(considering production, development and test segments)
o DMZ segments including SNB Shared Services
o Other portions of the network that the Proponent would deem at risk
o Various infrastructure devices that the Proponent would deem at risk

R1. GNB will not provide detailed answers to these questions until a vendor is chosen, under contract and under NDA.

Q2. Can you provide a list of IP addresses in scope or are we to determine that through OSINT discovery?

R2. As listed in the RFP: Recognizing that completing this assessment(s) against the entire GNB environment would be an exceedingly complex and expensive task, the services requested in this RFP are for an audit sampling based / statistical model approach. The overall project approach should be structured to identify significant cyber security issues and risks, that the Proponent can deliver in a cost-effective manner

This is a tender notice only. In order to submit a bid, you must obtain official tender documents from the New Brunswick Opportunities Network, another authorized tendering service or as indicated in the tender notice.
RETURN TO:
Note change to mailing address:

Central Tendering Branch
Fredericton Regional Centre
Suite 2300, 300 St. Mary's Street,
Fredericton, N.B.
E3A 2S4

Fax: (506) 444-4200

Public opening of bids will take place on closing day at 14:00 Atlantic Time, in Fredericton Regional Centre, Suite 2300, 300 St. Mary's Street, Fredericton, N.B. E3A 2S4.
----------------------------------------------------------------------------------------------
All bids must be stated in Canadian Funds.

All tenders must be F.O.B. destination, freight prepaid.

Sales taxes should not be included in the unit, extended or total prices.

This Invitation is being conducted under the provisions of the Procurement Act and Regulation as of the date of the issuance of the Invitation. Bidders may obtain a copy of the Act and Regulation on-line free of charge Procurement Act, Regulation or a paper copy may be purchased from the Queen's Printer, Province of N.B., P.O. Box 6000,Fredericton, N.B. E3B 5H1.

QUESTIONS:
Written questions relating to this opportunity may be submitted to the address provided below via email by clicking on Questions. Please be sure to include the solicitation/tender number in the subject line.
EMAIL ADDRESS: bidquestionssoumissions@snb.ca
NOTE: This email account is strictly for the receipt of questions on open opportunities. This email is not for the submission of bids.

All suppliers engaged to deliver services on behalf of the Government of New Brunswick must ensure compliance with the Official Languages Act in the delivery of those services. For more information, please refer to the Official Languages Act.

The Atlantic Provinces Standard Terms & Conditions for Goods and Services apply to this procurement and are considered to be incorporated into this document. By submitting a bid, you agree and accept these terms and conditions. Current "Atlantic Provinces Standard Terms and Conditions" are available on the New Brunswick Opportunities Network, the Council of Atlantic Premiers' Website or from an authorized service provider.

Under Canadian law (and international agreements), your Bid must arrive separately and independently, without conspiracy, collusion or fraud; see http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/home for further information.

A bidder must obtain official bid documents from a distribution service, authorized by the Minister of Service New Brunswick, in order to submit a bid. The current authorized distribution services are the New Brunswick Opportunities Network (NBON) (operated by Service New Brunswick, Province of NB), BIDS (operated by Tendering Publications Ltd.) and MERX (operated by Mediagrif Interactive Technologies). Failure to submit the official bid documents or provide proof that the
official bid documents were properly obtained will result in rejection of the bid. In order to facilitate the evaluation process, Bidders are requested to respond in the same format as the official bid documents.

Where the estimated value of the goods or services to be procured is below
the lowest applicable threshold value of any relevant trade agreement, Service New Brunswick reserves the right to give preferential treatment to a prospective supplier from New Brunswick or the Atlantic Region. Should this right be exercised, the following order of priority will apply: a) firstly, New Brunswick manufacturers if the goods to be procured are manufactured in New Brunswick; b) secondly, New Brunswick vendors; and c) thirdly, Atlantic Suppliers. The preference will be applied based
on the price differential
between the lowest acceptable bid and the bid receiving preferential treatment. Unless otherwise indicated, there shall be no limit on the price differential under which a preference may be applied. The decision to apply a preference will be at the sole discretion of Service New Brunswick.

All discounts quoted will be considered to be without limitations.

Payment of invoices is the responsibility of the department or organization to whom the goods are shipped or services are supplied.

Award of contracts: no contract shall be awarded and no payment shall be made to a vendor unless authorized by the Minister or his delegates. The Minister may make an award to the preferred vendor conditional on the negotiation and acceptance of a detailed contract between the Province and the vendor. In such cases, should the detailed contract negotiations not be completed in a reasonable period of time, the Province reserves the right to discontinue negotiations with the vendor and
subsequently enter into negotiations with the second preferred vendor.

No right or duty, in whole or in part, of the vendor under a contract issued may be assigned or delegated without the prior consent of the Strategic Procurement Branch.

Unless the Strategic Procurement Branch has determined otherwise prior to tender closing, all prices must be extended and totaled.

The province of New Brunswick reserves the right to negotiate pricing, value added and other savings opportunities with the successful proponent at time of award and throughout the contract.

Pay Equity
Does your organization have 50 or more employees?
The Government of New Brunswick is committed to encouraging and incentivizing the adoption of pay equity by employers doing business with government.

Prior to the award of procurements for goods and services valued over $1,000,000, suppliers, with fifty (50) or more employees will be required to complete the Pay Equity Learning Module developed by the Women's Equality Branch. Suppliers should provide a copy of their certificate of completion with their bid submission.

To complete the online module and obtain your certificate, please visit www.gnb.ca/payequity. For questions, please contact the Pay Equity Bureau toll free: (877) 253-0266 or by Email: peb-bes@gnb.ca.

Direct Deposit
The Province of New Brunswick is now using Direct Deposit as the standard method of issuing payments. Suppliers are required to provide bank account information and an email address for the notice of remittance. Please send the completed Direct Deposit Form to Service New Brunswick (e-mail address and mailing address are indicated on the form).
Please click on the link below to view the Direct Deposit Form.
http://www2.gnb.ca/content/dam/gnb/Departments/gs-sg/pdf/Procurement/DirectDepositVirementDirect.pdf

Solicitation documents will be provided in either of the Province of New Brunswick's two official languages; English or French upon request.

See more
Disclaimer All amendments to the associated notice, including amended documents, plans and specifications (where applicable), are issued by the originator of the notice. MERX asks you to contact the buying agency directly for these amendments. MERX stipulates that potential bidders may also be required to register with the buying authority as a bidder/plan taker. The contact information can be found within the main tender document and/or on this notice abstract.

We use cookies and other similar technology to deliver our online services. Essential cookies are used to enable you to access and navigate our site. These are necessary and are always on. We also use functional, analytics, and marketing cookies when we have your consent to do so. For more information on how we use cookies, please consult our Privacy Policy.