DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Transcription

1 DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK GOODS AND SERVICES CONTRACTS

2 Page 1 of 5 RFP 16-PR-DEM-33 Comprehensive All-Hazards Risk Assessment Attachment A-1: Background and Contractor Qualifications 1.0 Background and Intent: The DC Water and Sewer Authority (DC Water) is seeking a qualified vendor (the Contractor ) to assist in executing a comprehensive system wide (as referenced in the DC Water Master Plan 1 ) all-hazards physical security, operational, system engineering and cyber security resiliency vulnerability assessment of all owned assets within DC Water, which is located in Washington, DC, and its associated watershed properties and wastewater assets located in Maryland and Virginia (See Attachment M - DC Water Facilities). The intent is to update previously identified vulnerabilities and develop current remediation and resilience strategies, using both traditional and non-traditional solutions, to ensure the continued safety and security of the water and wastewater system for all DC Water employees, ratepayers and the residents within our service area. The work to be performed shall be in compliance with standards provided by the American National Standards Institute (ANSI) and the American Water Works Association (AWWA). 2.0 Contractor Minimum Qualifications: Vendors wishing to be awarded the contract resulting from this RFP must possess the minimum qualifications stated below. The Offeror shall include information with their proposal to substantiate that they meet the following: 1. The Offeror must demonstrate at least four (4) years of experience performing services similar in nature to those requested in this RFP with major metropolitan water and wastewater utilities in US and show competency in each area identified in the Scope of Work. Equivalent experience of personnel performing this or similar service will also be considered in lieu of the above. 2. The Offeror must demonstrate knowledge of, and documented project experience with, industry best practices including ANSI/AWWA J100 standards, use of the Parre in conducting a J100 risk assessment, and a broad range of water and wastewater physical, operational, and cyber vulnerability assessment and risk mitigation experience. 3. The Offeror must provide a sufficient number of qualified personnel to perform the service within the required timeline. The Offeror must provide resumes of all key personnel demonstrating experience with specific projects similar in nature to those requested in this RFP and the percentage of their time devoted to each project(s). 1 The DC Water Master Plan is a confidential document that will be provided to the winning Offeror at contract award.

3 Page 2 of 5 RFP 16-PR-DEM-33 Comprehensive All-Hazards Risk Assessment Attachment A-2: Scope of Work 1. General: 1.1. The Contractor shall perform all work under the direction of DC Water s Contracting Officer s Technical Representative ( COTR ) The Contractor shall assist in executing a comprehensive system wide (as referenced in the DC Water Master Plan) all-hazards physical security, operational, system engineering and cyber security resiliency vulnerability assessment of all owned assets within DC Water (the Risk Assessment ), including all sites located within Washington, DC and all associated watershed properties and wastewater assets located in Maryland and Virginia (See RFP Attachment M - DC Water Facilities) The COTR will provide the Contractor with a copy of the DC Water Master Plan upon contract award The Contractor shall perform all work in compliance with standards provided by the American National Standards Institute (ANSI) and the American Water Works Association (AWWA) The Contractor shall submit a detailed with identified milestones to the COTR for approval within 10 business days after the project kickoff meeting. This work shall be completed in 12 months or less The Contractor shall provide Monthly Status Reports to the COTR and DC Water staff to include, at a minimum, the progress made to date and alignment with the. If the work is behind the, then the report must also contain the cause for the delays and plans to catch up. The Monthly Status Reports shall be presented, in person or via conference call, and a copy submitted in electronically via (PowerPoint or MS Word) DC Water prefers the payment per milestones (see Section 5 of this Attachment) achieved and accepted by DC Water. The final invoice shall be submitted upon successful completion of the project, as determined by the COTR. 2. Risk Assessment Software Evaluation and Selection: 2.1. DC Water is seeking an encrypted/secure software to be used for data collection, analysis and maintenance of the Risk Assessment. The Contractor shall present software options to the COTR and make a recommendation on the software that will best meet DC Water s needs. The COTR will make the final selection of the software to be used The Contractor shall use and maintain the selected software for data collection in accordance with the ANSI/AWWA J100 standard The Contractor shall provide all copies, licenses and data for the selected software to the COTR at the conclusion of the project. No copies of DC Water purchased licenses, software or data shall be retained by the Contractor or its subcontractors without prior written permission from DC Water. 3. Risk Assessment: 3.1. The Contractor shall complete a comprehensive, system wide all-hazards physical, operational, system engineering, and cyber [Business Information Technology (BIT) networks, Industrial Control Systems (ICS) networks, Supervisory Control and Data Acquisition (SCADA) network, and Electronic Security System (ESS) network] vulnerability assessment (hereinafter the Risk Assessment ) of all DC Water owned assets to determine the all-hazards risk and resilience of all physical, operational, and cyber assets located throughout the DC Water system.

4 Page 3 of The Risk Assessment must cover all types of risk including, but not limited to: a) Malicious or other intentional acts and all hazards events for external physical risks; b) Malicious or other intentional acts and all hazards events for internal physical risks; c) Malicious or other intentional acts and all hazards events for operational risk; d) Malicious or other intentional acts and all hazards events for external cyber security risks for DC Water BIT, ICS, SCADA, and ESS networks; e) Malicious or other intentional acts or all hazards events for internal cyber security risks for DC Water BIT, ICS, SCADA and ESS networks; f) Natural and human caused disasters; g) Unintentional human causes risks, such as hazardous chemical spills, incorrect system operation, critical component failure, etc.; and h) Dependency hazards to include utility interruptions (including power outages, communications outages), supply chain, employee staffing issues (illness, strike), customers, transportation, proximity, etc The cyber security portion of the Risk Assessment must identify and provide detailed recommendations to mitigate vulnerabilities that allow an attacker to disrupt undermine or take control of the system. The assessment must address remote/external threats as well as internal/insider threats. The cyber security assessment must be tailored to the specific needs and issues of the specific, installed Industrial Control System (ICS) which are very different from the typical Office Automation (OA) system The Contractor shall review and assess current emergency response plan based on findings of the assessment, perform a gap assessment The Contractor shall complete the Risk Assessment in accordance with standards set by the AWWA and the ANSI/AWWA J (R13) Risk and Resilience Management of Water and Wastewater Systems (RAMCAP) The Contractor shall, as a part of the Risk Assessment, catalog the following: risk assessment findings and data, secure access for specifically identified critical management personnel only, vulnerabilities of such data and systems, chain of custody concerns for vulnerability assessment deliverables, requirements of software and DC Water network compatibility, and maintenance/update requirements for the software and input data The Contractor shall utilize the Program to Assist Risk & Resilience Examination (PARRE) tool to complete the Risk Assessment The Contractor shall utilize information from the 2012 Blue Plains assessment to complete the Risk Assessment, incorporating elements to support completion along with incorporating relevant findings from other vulnerability assessments including cyber assessments, DHS Site Assistance Visits, information from Washington Aqueduct assessments, the District of Columbia (DC) Threat and Hazard Identification and Risk Assessment (THIRA) and any other relevant assessments available. This will be provided to the Contractor by the COTR at contract award The Contractor shall ensure that the Risk Assessment is consistent with the 2015 District of Columbia (DC) and 2015 National Capital Region (NCR) Threat and Hazard Identification and Risk Assessments (THIRA) using the threats identified in those documents Prior to completing the Risk Assessment the Contractor shall provide training (and training materials in electronic format) and complete the knowledge transfer to the COTR and other DC Water personnel on the specifics of what involved in the assessment and the role of the stakeholders in completing the project.

5 Page 4 of Upon completion of the Risk Assessment the Contractor shall present the written Risk Assessment report to COTR and other DC Water personal to obtain feedback and acceptance prior to preparing a Gap Analysis and Risk Reduction Recommendations report. 4. Gap Analysis and Risk Reduction Recommendations Report: 4.1. The Contractor shall use the Risk Assessment to develop and deliver to DC Water a Gap Analysis and Risk Reductions Recommendations Report (the Report ) The Contractor shall include in the Gap Analysis section of the Report an assessment of DC Water s current emergency response planning that incorporates the findings and recommendations of the Risk Assessment and make recommendations for best emergency response planning methodology based on the ANSI/AWWA G standard The Contractor shall include in the Risk Reduction Recommendations section of the Report a prioritized program of recommended risk reduction measures with an associated Agency-wide cost benefit analysis to include, but not be limited to: a) A listing of all federal facilities that are co-located or adjacent to DC Water assets; b) Detailed remediation and resiliency strategies separated by physical, operational, and cyber (BIT, ICS, SCADA, and ESS networks) assets based on findings in the Risk Assessment; c) Risk reduction and resilience implementation prioritization in two separate recommendations lists: 1) individual recommendations based on actual risk and priority; and 2) recommendations to include cost effective and/or maximum benefit groupings and priorities; and d) An implementation strategy to include prioritized site planning for all identified vulnerabilities and detailed mitigation recommendations The Contractor shall also include, at a minimum, the following items in the Report: a) An analysis of the DC Water s mission and determination of the consequences that could affect it; b) Detail and rank both internal and external physical, operational, and cyber asset characterization; c) A detailed description of an all-hazards threat assessment; d) A detailed description of a threat analysis; e) A detailed description of a consequence analysis; f) A detailed description of a resilience analysis; and g) An Evaluation of security and operations policy against ANSI/AWWA G standard. 5. Milestones, Deliverables, and Payment: The Contractor shall provide, at a minimum, the deliverables set forth below. DC Water prefers the payment to be directly linked to the successful completion of each milestone per milestone payment shown below. A higher preference and evaluation score will be given to contractor(s) with a milestone payment such as shown below over contractor(s) who requests payment that is not tied to the successful outcome of the work (i.e. monthly invoicing). MILESTONES DELIVERABLE DUE DATE Project Initiation Software Recommendation Risk Assessment (in MS Project and PDF format) Recommendation document of Risk Assessment Software Risk Assessment report (in MS Word and PPT) Within 10 days following the project kickoff MILESTONE PAYMENT No more than 10% No more than 15% No more than 25%

6 Page 5 of 5 Gap Analysis and Risk Reduction Recommendation Knowledge Transfer Project Documents Gap Analysis and Risk Reductions Recommendations Report No more than 30% Training, training materials, knowledge transfer No more than 15% All software copies, licenses and Five (5) days prior to the end No more than 5% data transferred to DC Water (all in of the contract term electronic format) Monthly Status Reports Quarterly n/a - End of Scope of Work -