Report Prepared by: Jeff Bennyhoff, Director of Information Technology
Title
SUBJECT: Award the Managed Cybersecurity Operations Center Bid to SecureSky Inc for a Period of One Year, with the Approval to Extend Four Additional One-Year Periods, for the Cumulative Total Amount of $431,438 for the Five-Year Period
REPORT IN BRIEF
Considers awarding the Managed Cybersecurity Operations Center bid to Secure Sky Inc for a Period of One Year, with the approval to extend four additional one-year periods, for the cumulative total amount of $431,438 for the five-year period.
RECOMMENDATION
City Council - Adopt a motion:
A. Awarding managed cybersecurity operations center service bid to SecureSky Inc; and,
B. Authorizing the Not to Exceed spending authority to SecureSky Inc for $431,438; and,
C. Authorizing the City Manager to execute the necessary Documents to include, documents for the four additional one-year extensions; and,
D. Authorizing the Finance Officer to make necessary budget adjustments.
Body
ALTERNATIVES
1. Authorize agreement as recommended: or,
2. Refer to staff for further evaluation: or,
3. Deny.
AUTHORITY
Charter of the City of Merced, Section 200 and Merced Municipal Code Section 3.04.
CITY COUNCIL PRIORITIES
As provided for in the 2023-24 Adopted Budget.
DISCUSSION
In the dynamic landscape of cybersecurity, it is imperative for our city's defense mechanisms to be equally adaptable and responsive. The Information Technology staff currently faces challenges in addressing the high volume of cybersecurity review and analysis of requests. Our cybersecurity management system processes over 1,500 events per second. This system collates and analyzes these inputs, flagging incidents for further examination. On average, we observe more than 90 notable incidents weekly that require detailed analysis. Presently, the Information Technology Department lacks a dedicated cybersecurity team, distributing these critical responsibilities among various staff members. The time taken to analyze each incident varies widely, from minutes to several hours, depending on its complexity.
Given the necessity of continuous, 24-hour cybersecurity operations, it has become impractical for our City staff to effectively manage this task within conventional working hours. This limitation exposes the City to heightened risk levels during periods when staff are not actively engaged in monitoring and responding to cyber incidents.
To address this challenge the City issued a Request for Proposals (RFP) for a Managed Security Operations Center (SOC) service. The primary objectives of this SOC RFP are to enhance the City’s cybersecurity posture, effectively manage cybersecurity risks, leverage automation and orchestration of our existing security tools, and significantly reduce the City’s average time for detection and response to security events, within a fully managed 24/7/365 framework.
The RFP was structured to provide a one-year contract, with the option for four additional one-year extensions. This strategic approach is designed to balance our need for contractual flexibility in the fast-paced and ever-evolving cybersecurity landscape, while also securing long-term pricing stability. Staff is seeking approval for the full expenditure authority covering all five years of the potential contract duration. This comprehensive approval ensures readiness to support the extended service period if required. Staff will monitor the quality and effectiveness of the services provided. Should the services fail to meet our standards or expectations at any point, we reserve the right to terminate the contract. This measure ensures that we maintain control over the service quality while also securing the benefits of a long-term contractual arrangement.
The City received seven RFP responses for the Security Operations Center. The pricing of the proposals is reflected in the chart below.
|
Vendor |
Year 1 |
Year 2 |
Year 3 |
Year 4 |
Year 5 |
Total |
|
Blue Voyant |
$94,421 |
$66,000 |
$66,000 |
$69,300 |
$69,300 |
$365,021 |
|
SecurelyManaged |
$72,000 |
$73,000 |
$74,000 |
$75,000 |
$76,000 |
$370,000 |
|
SecureSky |
$95,325 |
$81,549 |
$83,180 |
$84,844 |
$86,540 |
$431,438 |
|
ePlus |
$98,500 |
$82,620 |
$84,272 |
$85,957 |
$87,677 |
$439,027 |
|
Patriot Consulting |
$102,000 |
$104,000 |
$106,000 |
$108,000 |
$110,000 |
$530,000 |
|
Optiv |
$174,409 |
$164,207 |
$167,260 |
$170,519 |
$173,675 |
$850,175 |
|
UltaViolet |
$240,000 |
$247,200 |
$254,616 |
$262,254 |
$270,122 |
$1,274,192 |
The City narrowed the list of proposers down to four vendors based upon the evaluation criteria as outlined in the RFP.
1: Proposal: Comprehension of the needs of the City as demonstrated by its description of its approach to the elements listed in the Scope of Services section of this RFP
2: Experience & Capacity: The Respondent’s relevant experience in providing the same or similar services; and the availability and capacity to provide service, credentials of the key staff that would be assigned to this project’s implementation phase.
3: Cost: The total cost of the Respondent’s proposal is important to the City; however, based on the evaluation of the other criteria, the City will not necessarily select the lowest bidder. We will make our selection based on best value.
4: References: Evaluation of the Respondent’s work for previous clients receiving similar services to those proposed in this RFP.
The top four vendors Blue Voyant, Securely Managed, Secure Sky, and ePlus were contacted to perform an additional RFP presentation.
It should be noted that the City of Merced already has limited access to Blue Voyant security operations center staff and cybersecurity intellect property through an agreement between Blue Voyant and the California Department of Technology - Security Operations Center. This agreement enables Cities in California, to partner with the State Security Operations Center and obtain, limited, free access to their partner of choice, Blue Voyant. The City of Merced was one of the first Cities in California to leverage these free state Cybersecurity resources. These services are funded from the State’s General Fund.
This contract, for a cybersecurity operations center services, will be governed by the City’s standard professional services agreement. Through negotiation with the vendors, it was determined that our unlimited indemnity provision was not accepted for this type of service as no vendor would agree to our standard terms. Staff believes that it is in the City’s best interest to proceed with this agreement with limited liability protection up to a maximum of $1,000,000.
After reviewing the RFP materials, additional presentations, and considering the existing access to Blue Voyant, the City recommends awarding the contract to SecureSky Inc. SecureSky Inc aligns closely with the scope of work detailed in the RFP and offers the best overall value for the City.
IMPACT ON CITY RESOURCES
The funding for the Security Operations Center 1 year service is approved in the FY23/24 Council Adopted budget. The Security Operations Center service will be purchased using funds budgeted in the Support Services Information Technology division. Future year fees will be included in the budget process.
ATTACHMENTS
1. Professional Services Agreement with SecureSky Inc.