Cybersecurity Equipment Software and Services

The vendor is required to provide comprehensive cybersecurity solutions through multiple procurements that include a district-wide application vulnerability patch management system, a network access control (NAC) solution, a centralized DHCP/DNS/IPAM (DDI) system with integrated cybersecurity capabilities, and a managed next-generation extended detection and response (XDR) with email security.
• DHCP, DNS and IPAM (DDI) centralized solution and associated cyber security services
• Managed next generation extended detection and response solution and email security advanced solutions 
• Application vulnerability patch management and associated services 
• Network access control solution for cyber security
1. DHCP, DNS and IPAM (DDI) centralized solution and associated cyber security services
a. Current environment
• Client hardware: client devices available at agency school sites varies widely in type and age. 
• Agency is a multiplatform district, including macOS, iPad, chrome books windows 10 or better, and windows server 2016 or better.
o Many clients now support DNS over https (doh) or DNS over TLS (DOT) so the proposed solution should include the features to deal with this new type of DNS.
▪ Var is expected to know how to configure/setup clients to use doh/dot with the DDI solution and advise the district accordingly.
• Multi-site networking: district has over 86 sites, each with their own distinct network VLANing, and centralized datacenters which support DDI services for all the sites.
o Multiple sites which need to be clearly defined as top level groups for scopes pertinent to each site.
o Multiple DHCP scopes per site (between 12 and 40).
o Variety of CIDR and super-scoping networks exist at these sites, so DDI must support both types.
o Various DHCP options for NTP, paging, imaging, DNS servers, VoIP gateways, etc.
o Centralized DNS for windows ad domain and all internal networking and the clients internally.
o Recursive and forwarding DNS to external sources such as MS-ISAC for all internal DNS traffic.
• Support for ad or azure SSO for it staff members to manage the platform
• Support for MFA integration for it staff members for secure access to the platform. preferably via an authenticator app such as microsoft, duo or google. 
• Support for role-based access for various roles and responsibilities of the it department who need access to the DHCP/DNS/IPAM system. 
• Desired integrations setup via APIS to the district’s current security infrastructure, including but not limited to:
o Fertigate firewalls 
o Vulnerability assessment systems such as cis albert or others. 
o Network access controls, such as Aruba ClearPass and cisco Ise
• Working with the district on the removal (if applicable) of the incumbent DDI solution and replacing it with a new one. 
• Including data conversion from existing to new.
• Identifying and testing with a specific set of district client platforms (listed above) to ensure the DDI is functioning as expected, reporting back to the web console, and not causing any strange device issues or interfering with user activity. 
• Providing guidance and troubleshooting to the district as part of the full deployment of the DDI system to all sites (DHCP and DNS). 
• Reviewing the web console for all DHCP/DNS and IPAM services to determine if any tweaks need to be made to achieve best practices. 
• Vendor solution must run on a hardened Linux (or equivalent) appliance. 
• Preferably vendor solution hardware must be robust enterprise-level hardware with full redundancy of critical subsystems (power, disks, etc.), as well as out of band management. 
• SSD or flash for disk storage subsystems is preferred over traditional hard drives. 
• Vendors proposing windows OS-based solutions will be rejected. 
• Providing the district with all licensing, documentation, and other information necessary to transition from implementation to production operations. 
• Provide all knowledge transfer to district IT staff for assumption of operational control and monitoring and maintenance.
b. Provide annual metrics and data outputs
• Reporting on DNS traffic suspicious activity, including but not limited to excessive queries to malicious domains or unauthorized DNS updates. 
• Reporting on detection events of DNS-level attacks and which protections or policies intervened to prevent malicious actors from using DNS to compromise the network. 
• Metrics on the enforcement of access control policies to restrict access to specific IP addresses or DNS records, preventing unauthorized users from accessing sensitive resources (zero trust policies). 
• Reporting and logging of threat detection incidents regarding DHCP and DNS requests, and alert reports showing notification to it staff of suspicious activity to be reviewed.
• Metrics of automated response capabilities (if that exists), such as blocking malicious IP addresses or updating DNS records by the solution to prevent further attacks. 
• Categorization of DNS threats seen by threat category, as well as by client type
• System downtime and outage logs related to system maintenance or other outages that provide an uptime value presented as a percentage (i.e., five 9’s).
c. Support benchmarking and progress analysis
• Assist in identifying measurable improvements in security posture as a result of implemented tools and services.
• Provide an annual executive summary highlighting findings, trends, and actionable recommendations.
• Collaborate with district i.t. staff annually to compare results against previous years’ benchmarks.
2. Managed next generation extended detection and response solution and email security advanced solutions
a. Current environment
• Client hardware: client devices available at agency school sites varies widely in type and age. 
• Agency is a multiplatform district, including macOS, iPad, Chromebook windows 10 or better, and windows server 2016 or better. 
• Client management systems: in order to mass deploy extended detection and response (XDR) agents, the district is currently leveraging the following mobile device management (MDM) services:
o Pcs are enrolled in microsoft Intune.
o Macs are enrolled in Mosyle.
o iOS device is enrolled in Mosyle.
o Chrome books are enrolled in Google’s workspace for education management console.
• Developing and supporting the mobile device management (MDM) integrations for application push to district devices and troubleshooting any installation issues with installation command line options. 
• Provisioning and initial setup of the web-based console for the product(s) purchased under this RFP for the district and enabling access to a specific group of districts IT staff members. 
• Full setup of best practices for device policies for all platforms that will have an agent installed, for operating systems below:
o Windows
o macOS
o iOS/ iPadOS
o Linux
o android and/or chrome OS
• full setup of alerting and reporting for the it districts staff members. 
• desired integrations setup via APIs to the district’s current security infrastructure, including but not limited to:
o Fortigate firewalls
o Intrusion detection systems (ids)
o Vulnerability assessment systems
o Industry standard DDI integrations
o Network access controls, such as Aruba ClearPass
o Support indicators of compromise (IOC) ingestion via API
• Develop and test agent update procedures on the various platforms and demonstrate the update process so it is clearly understood. 
• Assisting the district with the removal (if applicable) of the incumbent endpoint detection and response (EDR) solution application and other legacy software that could be performing a/v functionality.
b. Email security
• Currently, the district utilizes Gmail.
o DKIM, SPIF, DMARC
o DLP
o TLS enforcement
o Sandboxing
• Integration and proactive scanning to cloud workspaces. e.g. google drive, OneDrive, SharePoint, teams
• Anti-phishing leveraged by ai and ml behavioral analysis.
• Pre-delivery email security inspection.
• User quarantine restore requests.
3. Application vulnerability patch management and associated services
a. Current environment
• Client hardware: client devices available at agency school sites vary widely in type and age. 
• Agency is a multiplatform district, including macOS, iPad, chrome books, windows 10 or better, and windows server 2016 or better.
• Client management systems: in order to mass deploy the awarded application vulnerability patch management solution, the district will currently leverage the following mobile device management (MDM) services:
o PCS are enrolled in microsoft Intune.
o Macs are enrolled in Mosyle.
o iOS device is enrolled in Mosyle.
o Chrome books are enrolled in Google’s workspace for education management console.
b. Implementation
• Full setup of best practices for device policies for all platforms that will have an agent installed, for applicable operating systems below:
o Windows
o macOS
o iOS/ iPadOS
o Linux
o Android and chrome OS
• Full setup of alerting and reporting for the it districts staff’s members.
• Identifying and testing with a specific set of district client platforms (listed above) to ensure the application vulnerability patch management solution is installed, functioning as expected, reporting back to the web console, and not causing any strange device issues or interfering with user activity. 
• Vendor must utilize the center for internet’s (cis) security benchmark controls or similar benchmarks to enforce hardened security controls based on best practices of the proposed solutions. 
• Vendor must meet or exceed national institute of standards and technology (NIST) controls identified in NIST SP 800- 128. 
• Providing the district with all licensing, documentation, and other information necessary to transition from implementation to production operations. 
• Provide all knowledge transfer to district IT staff for assumption of operational control and monitoring and maintenance.
4. Network access control solution for cyber security
a. Current environment
• The district is currently utilizing network equipment manufactured by cisco, HPE and Fortinet systems throughout the system. these systems include end user switches and access points, core switches, wide area network equipment, windows servers, VMware hosts, VPN gateway/firewalls, etc.
• The district currently has approximately over 250 servers, the majority of the physical/virtual servers are running Microsoft’s windows operating systems
b. Business objectives
• The network access control solution must provide endpoint discovery, controlled and audited access (including OS patch level identification and antivirus status), automation (patch remediation, antivirus remediation, etc.), reporting and alert capability for the network access related operations. 
• By incorporating a minimally intrusive NAC solution into the information security operations, the district is expecting to improve visibility, compliance and governance efforts and focus on what is most important, improving the district’s information security posture while maintaining high levels of uptime for critical teaching and learning activities. 
• The planned NAC solution will be a critical component of the district’s information security strategy and will require maximum uptime (99.99%).
- Contract Period/Term: 3 years
- Questions/Inquires Deadline: June 25, 2025