i.

COMPETITIVE PROCUREMENT FOR:

RFP C000507-MANAGED SECURITY SERVICES

PROCUREMENT WEBSITE: HTTPS://ITS.NY.GOV/COMPETITIVE-PROCUREMENT-OPPORTUNITIES

DESIGNATED CONTACT FOR INQUIRIES AND SUBMISSIONS

Alisa Fortune, Contract Manager

RFP related questions must be submitted via electronic mail using the Vendor Questions and Extraneous Terms Form (Attachment 3) to the designated contact for this RFP at

its.sm.bestvalue@its.ny.gov

No other method of inquiries will be accepted. Administrative issues pertaining to sending/receiving email through the designated mailbox may be reported at (518) 473-9341.

ITS ADDRESS FOR PROPOSAL DELIVERIES

Address to:

NYS OFFICE OF INFORMATION TECHNOLOGY SERVICES

PROCUREMENT AND CONTRACT SUPPORT UNIT

If US Post Office standard and US Post Office overnight mail, use:

ATTENTION: Alisa Fortune, PO BOX 2062, ALBANY, NY 12220

If UPS and FedEx express delivery overnight and ground service, use:

ATTENTION: Alisa Fortune, EMPIRE STATE PLAZA, SWAN STREET BUILDING, CORE 4, ALBANY, NY 12223

If Hand Delivery to front desk:

ATTENTION: Alisa Fortune, EMPIRE STATE PLAZA, SWAN STREET BUILDING, CORE 4, 1ST FLOOR LOBBY,

ALBANY, NY 12223

RFP Calendar of Events

Event Date

1. RFP Release Date November 17, 2017

2. Deadline for filing Mandatory Intent to Bid and Non-Disclosure Agreement (Attachment 2)

December 11, 2017 at 2:00 PM ET

3. Mandatory Pre-Bid Conference Solely for the Financial Portion of this Procurement (See section 5.2.3)

On or about December 15, 2017

4. Deadline for Submission of Vendor Questions December 22, 2017

5. Issuance of Response to Submitted Questions On or about January 5, 2018

ii.

RFP Calendar of Events

Event Date

6. PROPOSAL DUE DATE January 26, 2018 at 2:00 PM ET

TABLE OF CONTENTS

APPENDICES (REQUIRE NO ACTION FROM BIDDERS) ......................................................................... III

ATTACHMENTS (MUST BE COMPLETED BY BIDDER’S AND SUBMITTED WITH PROPOSALS) ................. III

SECTION 1 - OVERVIEW ......................................................................................................................5

1.1 PURPOSE OF REQUEST FOR PROPOSALS ...................................................................................... 5 1.2 DEFINITIONS .................................................................................................................................. 5 1.3 THE OFFICE OF INFORMATION TECHNOLOGY SERVICES .............................................................. 5

1.3.1 Mission, Vision, and Values Statement ................................................................................... 5 1.3.2 Formation of ITS ....................................................................................................................... 5

SECTION 2 - PROJECT SUMMARY ........................................................................................................5

2.1 MINIMUM BIDDER QUALIFICATIONS ............................................................................................ 5 2.2 PROJECT BACKGROUND (CURRENT STATE) .................................................................................. 6 2.3 BUSINESS GOALS (FUTURE STATE) ................................................................................................ 6

SECTION 3 - SERVICE REQUIREMENTS & DESIRABLE FEATURES ............................................................7

3.1 MANAGED SECURITY SERVICES (MANDATORY REQUIREMENTS) ................................................ 7 3.2 MANAGED SECURITY SERVICES (DESIRABLE FEATURES) .............................................................. 9 3.3 KEY PERSONNEL .......................................................................................................................... 10

3.3.1 Contract Manager .................................................................................................................. 10 3.3.2 Service Manager .................................................................................................................... 10

SECTION 4 - TERMS AND CONDITIONS .............................................................................................. 10

SECTION 5 - PROCUREMENT PROCESS .............................................................................................. 11

5.1 METHOD OF AWARD ................................................................................................................... 11 5.2 ADMINISTRATIVE REQUIREMENTS AND INFORMATION ............................................................ 11

5.2.1 Inquiries from Bidders ........................................................................................................... 11 5.2.2 Filing by Bidders of Mandatory Intent to Bid and Non-Disclosure Agreement ..................... 11 5.2.3 Mandatory Pre-Bid Conference ............................................................................................. 11 5.2.4 Communications from NYS to Vendors ................................................................................. 11 5.2.5 Procurement Record .............................................................................................................. 11 5.2.6 Building Access Procedures for Visitors and Hand Deliveries ............................................... 12

5.3 NO LATE SUBMISSIONS ............................................................................................................... 12

SECTION 6 - PROPOSAL REQUIREMENTS ........................................................................................... 12

6.1 PACKAGE LABEL .......................................................................................................................... 12 6.2 MULTIPLE SUBMISSIONS ............................................................................................................. 12 6.3 GENERAL REQUIREMENTS FOR PROPOSALS ............................................................................... 12

SECTION 7 - EVALUATION METHODOLOGY ....................................................................................... 12

7.1 PROPOSAL COMPLETENESS REVIEW .......................................................................................... 13

iii.

7.2 MINIMUM QUALIFICATIONS EVALUATION ................................................................................. 13 7.3 TECHNICAL PROPOSAL EVALUATION .......................................................................................... 13 7.4 FINANCIAL PROPOSAL EVALUATION ........................................................................................... 13 7.5 ADMINISTRATIVE PROPOSAL EVALUATION ................................................................................ 13 7.6 FINAL COMPOSITE SCORE ........................................................................................................... 13

APPENDICES (REQUIRE NO ACTION FROM BIDDERS)

Appendix A – Standard Clauses for New York State Contracts

Appendix B - Reserved

Appendix C – ITS Standard Contract Clauses

Appendix C-1-Contractor’s Insurance Requirements

Appendix D – MSS Terms and Conditions

Appendix E – EEO 101, Workforce Employment Utilization/Diversity Compliance Report

Appendix F – MWBE 102, Quarterly MWBE Compliance Report

Appendix G – Glossary

Appendix H – Change Request Form

Appendix I – Reserved

Appendix J - Reserved

Appendix K – Primary Security and Privacy Mandates

ATTACHMENTS (MUST BE COMPLETED BY BIDDER’S AND SUBMITTED WITH PROPOSALS)

Attachment 1 – Proposal Checklist Summary

Attachment 2 – Mandatory Intent to Bid and Non-Disclosure Agreement

Attachment 3 – Vendor Question and Extraneous Term Form

Attachment 4 – Firm Offer Letter and Conflict of Interest Disclosure

Attachment 5 – Vendor Responsibility Questionnaire

Attachment 6 – NYS Required Certifications

Attachment 7 – Lobbying Forms All-in-One

Attachment 8 – Equal Employment Opportunity Staffing Plan – EEO 100

Attachment 9 – Minority/Women Owned Business Utilization Plan – MWBE-100

Attachment 10 – MWBE and EEO Policy Statement (Form 4)

Attachment 11 – Consultant Disclosure Form A & B

Attachment 12 – Encouraging Use of NYS Business in Contract Performance

Attachment 13 – Contractor Certification to Covered Agency, ST-220-CA

Attachment 14 – Workers Compensation and Disability Insurance Requirements

iv.

Attachment 15 - Bidder Information Form

Attachment 16 - Reserved

Attachment 17 - Reserved

Attachment 18- Technical Proposal Form

Attachment 19 - Reserved

Attachment 20- Minimum Bidder Qualifications

Attachment 22- Financial Proposal Workbook

Attachment 23- Requirements Verification and Traceability Matrix

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 5

5.

SECTION 1 - OVERVIEW

1.1 PURPOSE OF REQUEST FOR PROPOSALS

The New York State Office of Information Technology Services (ITS) is issuing this Request for Proposals (RFP) to seek proposals from responsive and responsible Contractors for Managed Security Services (MSS).

1.2 DEFINITIONS

Definitions for certain terms in this document, its appendices and attachments, can be found in Appendix G– Glossary of Terms.

1.3 THE OFFICE OF INFORMATION TECHNOLOGY SERVICES

1.3.1 Mission, Vision, and Values Statement

MISSION To create and deliver innovative solutions that foster a technology-enabled government to best serve New Yorkers

VISION To lead the nation in serving citizens, businesses, and visitors through world-class technology

VALUES Accountability, Citizens, Innovation, Integrity, People, Transformation

1.3.2 Formation of ITS

In 2012, New York consolidated information technology (IT) functions and service delivery from over 52 State agencies into a single agency in the largest IT consolidation in State government history. The ITS workforce of approximately 4,000 professionals serves over 120,000 end users. Historically, IT systems and applications were primarily decentralized within individual State agencies supported by internal agency teams working with disparate IT tools, methods, and varied technical platforms. Now, ITS is transforming IT across the State to offer world-class service that provides a consistent and high-quality experience for end users and citizens using an IT environment that:

• Maximizes existing resources

• Meets agency business needs with world-class customer service

• Creates a talented, innovative IT workforce

• Increases accountability

• Provides cost savings

SECTION 2 - PROJECT SUMMARY

2.1 MINIMUM BIDDER QUALIFICATIONS

Bidders are advised that the State’s intent to ensure that only responsive, responsible qualified

and reliable contractors enter into a contract to perform the work as defined in this document and

Attachment 20-Minimum Bidder Qualifications. The State considers the following qualifications,

sufficiency, capacity and experience to be a pre-requisite in order to be considered as a qualified

Bidder for purposes of the solicitation:

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 6

6.

1. The Bidder must have been in continuous business providing Managed Security Services as one of its primary lines of business for at least the past five (5) years.

2. The Bidder must be currently monitoring a minimum of 2,500 firewall/IDS/IPS devices across their aggregate customer base.

3. The Bidder must be currently monitoring a minimum of 100 billion log entries per month across their aggregate customer base.

2.2 PROJECT BACKGROUND (CURRENT STATE)

New York State Government is a large, complex enterprise consisting of numerous agencies, authorities, boards, commissions and local governments that support critical citizen services and meet multiple statutory and regulatory requirements. As the fourth most populous state in the nation with nearly 20 million residents, cyber threats to such services and citizen data is of growing concern. The Enterprise Information Security Office (EISO) within ITS is, in part, statutorily responsible for safeguarding many New York State government information assets and infrastructure including identifying and mitigating vulnerabilities; and detecting, responding to and recovering from cyber incidents; and promoting cyber security awareness within the state. The Cyber Command Center within ITS provides a centralized service for detection, analysis, tracking, response to and reporting of cyber threats and incidents through infrastructure monitoring, threat analytics, incident management and coordinated information sharing. ITS currently provides infrastructure and application support, development, architecture and engineering to 50+ New York state entities (“Hosted Entities”.) The current ITS footprint includes two major data centers (one in Albany, NY and one in Utica, NY), multiple smaller data centers, hundreds of critical applications, over 99,000 client workstations (desktops and laptops), over 20,000 mobile devices, thousands of remote virtual connections, and over 10,000 servers both in the centralized data center and in hundreds of remote locations across the State. ITS’ current Managed Security Service Provider (MSSP) monitors in excess of 40 billion log entries and 356 TB of network traffic per month from approximately 140 devices in approximately 33 New York state entities. IT transformation efforts are currently underway to migrate disparate NYS executive branch agency networks, assets, and services into a shared infrastructure, organized as a centralized statewide data center and dedicated backup environment for hosted agencies. Current efforts are in various stages of implementation, and the environment will be in a considerable state of transition for the foreseeable future.

2.3 BUSINESS GOALS (FUTURE STATE)

ITS is looking to procure a Managed Security Service (MSS) solution from a responsive and

responsible bidder that includes 24 hours/day, 7 days/week, 52 weeks/year capture, monitoring,

analysis and robust correlation of event logs and network flow data from sources such as, but not limited to:

❖ intrusion detection systems/intrusion prevention systems ❖ firewalls ❖ proxies ❖ anti-virus ❖ Virtual Private Network (VPN) appliances ❖ Domain Name Service (DNS)/Dynamic Host Control Protocol (DHCP) servers ❖ directory services

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 7

7.

❖ network flow monitors

It is expected that the awarded MSSP will create electronic alerts, based on defined priority criteria, after validation and triage by an MSSP analyst, that will be sent to the ITS Cyber Command Center and Hosted Entity designated security representative(s) via SMS and/or email. A portal, for access to the raw logs collected and a dashboard of event information, must be made available for further contextual analysis and response activities. The MSSP’s correlation should focus on detected attacks, known vulnerabilities, and known threat actors, including those that would impact the State. Below are some sample cases that would be applicable for the MSS:

❖ identify anomalous traffic or activity (e.g., spikes in log volume); ❖ identify and alert on attempted attacks against known critical servers that are

vulnerable; ❖ identify traffic to or from potentially malicious sites; and ❖ identify potential sensitive data exfiltration.

SECTION 3 - SERVICE REQUIREMENTS & DESIRABLE FEATURES

For the following sections and considering the State’s mission, objectives, challenges and broader vision

as identified in this RFP and its attachments, Bidder shall indicate their ability to comply with the

requirements listed below and outlined on Attachment 23 – Requirements Verification and Traceability

Matrix.

3.1 MANAGED SECURITY SERVICES (MANDATORY REQUIREMENTS)

a) The selected Bidder must capture, monitor, analyze and correlate all security log data provided

by ITS and manage security events on a 24 hours/day, 7 days/week, 52 weeks/year basis throughout the entire term of the Contract.

b) The Bidder must provide Managed Security Services exclusively from locations within CONUS.

c) The selected Bidder must correlate events from the customer logs ingested with additional ITS provided data sources such as, but not limited to, ITS vulnerability scan and asset inventory data.

d) The selected Bidder must correlate global threat intelligence against the data provided by ITS

in support of the service offering. e) The selected Bidder must monitor for logging anomalies 24 hours/day, 7 days/week, 52

weeks/year.

f) The selected Bidder must create alert tickets for events and incidents discovered through log analysis and correlation, and for service interruptions, and transmit them electronically to designated security personnel. The selected Bidder must have the ability to escalate by email, phone and text depending on the severity of the ticket. Tickets must be categorized and prioritized based on potential impact and severity.

g) The selected Bidder will be given separate escalation procedures for each Hosted Entity within

30 days of contract approval or upon ITS notification of a new Hosted Entity, and must maintain

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 8

8.

these procedures throughout the term of the contract. Any changes to the escalation procedures requested by ITS must be implemented within one (1) business day.

h) New York State staff must be given access, employing multifactor authentication, to a Web

Portal which allows for tracking and/or management of incidents and events. i) The Web Portal provided by the selected Bidder to ITS for the MSS must meet the following

requirements: 1. Must provide access controls, that comply with NIST Special Publication 800-63, to ensure

that tickets with sensitive information are only viewed by those with approved access. 2. Must include dashboards that allow for role-based views. 3. Must support the ability to search across logs on different devices simultaneously by

sorting, filtering or grouping based on individual fields in the log records that uniquely identify the Hosted Entity(s), including those that have overlapping netblocks.

4. Must include the ability to associate events with a particular Hosted Entity and to ensure that the Hosted Entity only sees events and/or log records associated with their organization.

5. Must include the ability for the user to schedule and produce ad-hoc reports detailing assets, events by asset, attack types, events types, event severity, event date and other threat indicators.

6. Must include an API to allow for programmatic access to portal information (e.g., tickets, logs, reports).

j) Logs received by the selected Bidder, as part of the MSS, and tickets created by the MSS must

meet the following requirements in order to facilitate in-depth analysis and customized correlation: 1. Be readily accessible in their native format through the Web Portal for a minimum of 92

days, as per the New York State Security Logging Standard (https://its.ny.gov/document/security-logging-standard) in order to facilitate in-depth analysis and customized correlation.

2. Be exportable into an Excel readable format.

k) The selected Bidder must provide monthly executive-level summary reporting on events and incidents seen for each Hosted Entity, for each local IT service support team and for ITS as a whole.

l) The selected Bidder must provide 24 hours/day, 7 days/week, 52 weeks/year telephone availability for remote assistance with events detected by the MSS.

m) The selected Bidder solution must provide for redundant CONUS SOCs.

n) The selected bidder must comply with the terms and conditions related to the delivery of

services as stated in: 1. Appendix C – ITS Standard Contract Clauses. 2. Appendix D– MSS Terms and Conditions.

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 9

9.

3.2 MANAGED SECURITY SERVICES (DESIRABLE FEATURES)

a) It is desirable that the selected Bidder is part of the US Department of Homeland Security Enhanced Cyber Security Services Program, as an accredited Commercial Service Provider, and incorporate that service into the MSS provided to the State.

b) It is desirable that the selected bidder is in compliance with one or more of the following standards: 1. ISO 9001 - Proof of this requirement will be the submission of MSSP's current ISO 9001

certification report. 2. ISO 27001 - Proof of this requirement will be the submission of MSSP's current ISO 27001

certification report. 3. ISO 20000 - Proof of this requirement will be the submission of MSSP's current ISO 20000

certification report.

c) It is desirable that the selected Bidder have the ability to integrate with ITS’s ticketing systems (Archer, Footprints and/or Service Now) by providing automated feeds to create tickets that are associated back to the Bidder’s ticketing system.

d) It is desirable that the selected Bidder have the ability to integrate with ITS’s vulnerability scanning systems (Qualys, Nessus, WebInspect) to ingest scan data in an automated way and correlate the data with events.

e) It is desirable that proposed solution has three levels of user access to the portal that can be accessed by ITS staff and/or their Hosted Entities’ personnel, with read rights flowing downward:

1. Statewide where the EISO would have access to all log entries. 2. Nested (Multi-entity) where the portal would allow access to log entries for all entities

within a particular user’s area of responsibility (e.g., local IT service support team). 3. Single Entity where the portal would allow access to log entries for a single entity.

f) It is desirable that the selected Bidder solution includes pre-configured reports running on an automated schedule and on an as needed basis. Such reports should include the following metrics or configurations:

1. Event counts by severity with selectable date range, filterable by entity/sub-entity. 2. Event counts by event types with selectable date range, filterable by entity/sub-entity. 3. Count of event types specifying total detected and number actionable with selectable

date range, filterable by entity/sub-entity. 4. Log counts sortable by device type and entity/sub-entity with selectable date range,

filterable by entity/sub-entity. 5. Ticket report with ticket identifier, description, open date, close date with selectable

date range, filterable by entity/sub-entity. 6. Unique attacking IP addresses grouped by country with selectable date range,

filterable by entity/sub-entity. 7. Report detailing whitelisted and blacklisted IP’s with comments. 8. Attacking IP’s – detailed report with IP, time, date, anomaly detected with selectable

date range, filterable by entity/sub-entity.

g) It is desirable that the selected Bidder provide security analysts dedicated to ITS.

h) It is desirable that the selected Bidder have the ability to maintain security logs which are associated to an event/alert for the life of the service.

i) It is desirable that the selected Bidder is Vendor Agnostic in terms of the technologies whose logs they can monitor.

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 10

10.

3.3 KEY PERSONNEL (MANDATORY REQUIREMENTS)

The selected Bidder must provide a single point of contact for contract management (Contract Manager) activities and a single point of contact for service management (Service Manager) activities. These points of contact may be, but are not required to be, the same individual. The contact(s) must be able to respond to requests for assistance not more than 2 business days from initial request and must be available by phone or email during normal business hours (9-5, M-F).

3.3.1 Contract Manager

The Contract Manager must be responsible for the following activities: a) Managing all onboarding and offboarding activities of the Service. b) Communicating status and schedule of onboarding and offboarding activities. c) Assistance with migration from existing provider’s service to MSSP’s service. d) Assistance with migration off MSSP’s service as the end of the contract. e) Contract issue resolution as needed and requested by ITS.

3.3.2 Service Manager

The Service Manager must be responsible for the following activities:

a) Working with the ITS designee to document and ensure adherence to service level

requirements, including issuance of credits, and develop service level metrics and reports. b) Reviewing service level exceptions, determine contributing factors and institute changes

through a continuous improvement process. c) Developing an escalation process for reported problems or issues related to MSS and

ensuring resolution, in coordination with ITS including, but not limited to, the root cause, analysis and proposed resolution for any outage or failure to escalate and event.

d) Producing Service Level Reports and comparing results with negotiated Service Level Agreements.

e) Training users regarding use cases, reporting functions, features, and overall use of the MSSP’s service/portal,

f) Providing security advisories and recommendations for improving New York State/ITS’s security posture.

g) Providing regular updates about new service features the MSSP may offer and new releases of existing features, if applicable to the Services provided.

h) Analyzing and advising on security device placement to achieve maximum visibility. i) Advisement on tuning of alerts on security devices to reduce false positives and false

negatives.

SECTION 4 - TERMS AND CONDITIONS

The RFP, the Bidder’s Proposal and the Contract that results from this RFP are subject to and incorporate the terms and conditions as stated in Appendix A- Standard Clauses for NYS Contracts, Appendix C – ITS Standard Contract Clauses and Appendix D– MSS Terms and Conditions. Additionally, the contract that results from the RFP (Contract) between ITS and the selected Bidder (Contractor), collectively hereinafter referred to as the Parties, shall substantially contain the terms and conditions set forth in those Appendices.

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 11

11.

SECTION 5 - PROCUREMENT PROCESS

5.1 METHOD OF AWARD

ITS will make an award for the services described in this RFP to a responsive and responsible Bidder on a “Best Value” basis. Best Value means that the proposal that optimizes quality, cost, and efficiency among responsive and responsible Bidders shall be selected for award (State Finance Law, Article 11, Section 163).

5.2 ADMINISTRATIVE REQUIREMENTS AND INFORMATION

5.2.1 Inquiries from Bidders

New York State Finance Law §§139-j and 139-k imposes certain restrictions on communication between NYS and Bidders during a procurement. Bidders should submit all RFP inquiries, questions, or comments to its.sm.bestvalue@its.ny.gov using Attachment 3 – Vendor Questions and Extraneous Terms Form by the due date indicated on the Calendar of Events. No other method of inquires will be accepted.

Additional information is available at: http://ogs.ny.gov/Aboutogs/regulations/defaultAdvisoryCouncil.html

Administrative issues pertaining to sending/receiving email through the designated mailbox may be reported at (518) 473-9341.

5.2.2 Filing by Bidders of Mandatory Intent to Bid and Non-Disclosure Agreement

Bidders will not receive any information regarding the Mandatory Pre-Bid Conference, Attachment 22 – Financial Proposal Workbook, nor ITS responses to vendor questions unless a fully executed Mandatory Intent to Bid and Non-Disclosure Agreement (NDA) (Attachment 2) is returned to the ITS Designated Contact listed on the cover page of this RFP by the due date indicated in the Calendar of Events. Electronically signed copies of the NDA will be accepted; however, hard copies must also be sent via mail. Once a fully executed Attachment 2 is received by ITS, ITS will provide access to the Mandatory Pre-Bid Conference, Attachment 22 – Financial Proposal Workbook, and ITS responses to bidder questions via a password-protected encrypted email. Bidders who do not submit a fully executed Mandatory Intent to Bid and Non-Disclosure Agreement will not be provided access to these documents.

5.2.3 Mandatory Pre-Bid Conference

All Bidders intent on submitting a proposal for this RFP must attend the Mandatory Pre-Bid Conference as indicated on the Calendar of Events. This conference will be held via web-ex and the meeting information will be provided to all bidders that submit the Mandatory Intent to Bid and Non-Disclosure Agreement by the due date indicated on the Calendar of Events. The purpose of the Mandatory Pre-Bid Conference is solely to review Attachment 22 – Financial Proposal Workbook. No other topics will be addressed during this meeting. All questions related to any other section of this RFP should be submitted in accordance with section 5.2.1.

5.2.4 Communications from NYS to Vendors

ITS has established a procurement website for the purpose of disseminating information relating to this procurement, and vendors are encouraged to monitor the site. The website URL is provided on the cover page of this RFP.

5.2.5 Procurement Record

ITS shall maintain a Procurement Record that documents the procurement process.

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 12

12.

5.2.6 Building Access Procedures for Visitors and Hand Deliveries

To access the ITS office building, all visitors must present photo identification at the Security Desk and comply with other requirements. Bidders who intend to hand-deliver Proposals or utilize independent courier services should allow extra time to comply with these procedures. Bidders hand-delivering their Proposals should ask the security personnel at the security desk to call the Designated Contact(s) indicated in this RFP or the Procurement and Contracts Support Unit. Building Access procedures may change or be modified at any time. Bidders assume all risks for timely, properly submitted hand deliveries.

5.3 NO LATE SUBMISSIONS

All Proposals must be submitted and received by the Proposal submission dates and times specified in this RFP. Proposals received after the Proposal Submission Deadline shall be rejected.

Faxed proposals and electronic submission will not be accepted. If proposal packaging labels are not sufficient to identify the contents, ITS reserves the right to open packages for the purpose of identifying the source and contents of the package. All materials submitted by the Bidder become the property of the State and may be returned only at the sole discretion of ITS.

SECTION 6 - PROPOSAL REQUIREMENTS

6.1 PACKAGE LABEL

All Proposals must have a label on the outside of the package or shipping container with the following information:

RFP C000507- Managed Security Services - PROPOSAL ENCLOSED

NOT TO BE OPENED EXCEPT BY AUTHORIZED PERSONNEL

6.2 MULTIPLE SUBMISSIONS

Bidders may submit more than one proposal for the purpose of offering alternative solutions but each proposal must meet all of the mandatory requirements of the RFP, be complete in itself, and must not reference or incorporate portions of another proposal submitted by Bidder. Multiple proposals received from the same Bidder will be separately evaluated by ITS as if each proposal were the sole submission of the Bidder.

6.3 GENERAL REQUIREMENTS FOR PROPOSALS

Bidders must submit a complete response to this RFP that satisfies the requirements set forth in this RFP. Failure to do so may render the Bidder’s proposal non-responsive. A proposal check list is included in this RFP as Attachment 1.

Proposals that make extensive use of color photographs or illustrations, or that include separate brochures or marketing materials and overly elaborate embellishments, are discouraged.

All proposals submitted in response to this RFP, must be written in the English language with quantities expressed using Arabic numerals and United States Dollars ($ USD), as applicable.

SECTION 7 - EVALUATION METHODOLOGY

The evaluation process will be conducted in a comprehensive and impartial manner.

NYS Office of Information Technology Services Request for Proposals

RFP # C000507 Page 13

13.

7.1 PROPOSAL COMPLETENESS REVIEW

After the Proposal opening, each proposal will be screened for completeness and conformance with the RFP requirements. Proposals that do not meet the RFP requirements may be deemed non-responsive, removed from further consideration, and the Bidder notified accordingly. Proposals that pass will proceed to the Technical Evaluation.

7.2 MINIMUM QUALIFICATIONS EVALUATION

Proposals submitted by Bidders will be evaluated on a Pass/Fail basis to determine whether they satisfy the RFP’s Minimum Bidder Qualifications and Mandatory Requirements as outlined in Attachments 20 and 23. Proposals that fail to meet the minimum qualifications will be deemed non-responsive, will not be further evaluated, and the Bidder will be notified accordingly. Passing proposals next proceed to the Technical and Financial Evaluations. Bidders may still be disqualified if it is later determined that the Bidder did not meet all of the RFP minimum qualifications and should not have qualified to move on to the Technical and Financial Evaluations stage.

7.3 TECHNICAL PROPOSAL EVALUATION

The Technical Proposal will be weighted at 70% of the overall total. The Technical Evaluators will independently score each Technical Proposal using a weighted average to calculate the Technical Score for each responsive Bidder.

7.4 FINANCIAL PROPOSAL EVALUATION

The Financial Proposal will be weighted at 30% of the overall total. The Financial Proposal evaluation will be based on a maximum score of 30 points which will be allocated to the proposal with the lowest price. All other responsive proposals will receive a proportionate score based on the relation of their Financial Proposal to the proposal with the lowest price, using this formula:

Financial Proposal points awarded = 30 points x (Lowest Price Financial Proposal/Price of Proposal Being Evaluated)

7.5 ADMINISTRATIVE PROPOSAL EVALUATION

No points awarded for the Administrative Proposal

7.6 FINAL COMPOSITE SCORE

A final composite score will be calculated by adding the Technical Proposal score to the Financial Proposal score. The Proposals will be ranked based on the combined scores. The Bidder with the highest composite score may receive a tentative award, subject to successful contract negotiations and approval by the Attorney General and Office of the State Comptroller.

Should more than one Bidder get the same total score, the tie will be broken using the Financial Proposal score. When price and other factors are found to be substantially equivalent, ITS wills select the winning Bidder at its sole discretion.