The vendor is required to provide that electric’s energy management system for include:
- the cyber vulnerability assessment (CVA)
a. Planning activities
1. Personnel and training:
• For all of consultant’s personnel, including subcontractors if utilized, that are involved with conducting the cyber vulnerability assessment (CVA), provide evidence in accordance with cip-004-6 r2 - completed cyber security training, r3 - personal risk assessment including a 7-years criminal background check and r4 - authorization and provisioning to access control center facilities and systems.
2. Kickoff meeting:
• Conduct an initial planning meeting with city stakeholders to discuss the scope, objectives, execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the CVA scanning process to ensure clear goals and expectations for both parties.
3. Documentation review:
• Review applicable sections of city CIP compliance program outlining security management practices, network diagrams and device configurations.
• Personnel interviews: obtain a list of key city personnel, including internal stakeholders or third-party vendors, who possess expertise on city security processes, network structure and configurations.
5. Project plan:
• Provide a detailed project plan, including a timeline with a breakdown of key activities such as system analysis, vulnerability scanning and final reporting.
b. Assessment activities
1. Cyber vulnerability assessment:
• Conduct an active CVA in a manner that is non-intrusive and does not adversely affect EMS operations.
• Penetration testing is not allowed. identify any gaps or deficiencies related to compliance by evaluating the current systems to corporation cip-10-4 r3.
2. Active network discovery:
• Identify all active assets within detected network range to determine if any are unauthorized.
verify that the discovered assets and their communication paths align with current documentation of the network infrastructure using Nmap or other similar discovery tools.
3. Vulnerability scanning and identification:
• Perform detailed vulnerability scans on in-scope cyber assets and services to identify potential cybersecurity vulnerabilities, risks, strengths, and best practices.
4. Network port and service identification:
• Identify ports and services that are enabled on identified network hosts.
• This includes classifying each device and virtual machines, according to operating system, hardware vendor, physical network address and hostname.
5. Wireless scanning:
• Perform a scan of city systems to confirm that there is no wireless network traffic occurring from any unauthorized wireless signals or networks within the physical perimeter of cyber system.
6. Password management:
• Review city program to verify that the appropriate password controls are implemented and followed on all system devices for default accounts, shared accounts, and network management accounts, ensuring that no default passwords exist.
7. Personnel interviews:
• Conduct interviews with key city personnel responsible for governance and management of cybersecurity services.
- Resources
a. System documentation:
• Detailed documentation of the EMS, including security management practices, architecture diagrams, network layouts, system configurations and other relevant documentation.
b. Compliance documents:
• All relevant compliance documentation, internal security policies and any prior vulnerability assessment reports.
c. technical assistance:
• Key personnel, including internal stakeholders or third-party vendors, who possess expertise on city security processes, network structure and configurations.
d. On-site access:
• Supervised access to city facilities and the necessary in-scope networks and systems required for the CVA.
e. Sensitive documents:
• On-site access to sensitive documents and information that could not be provided electronically due to data security and confidentiality concerns.
- Contract Period/Term: 3 years
- Questions/Inquires Deadline: April 08, 2025