Page 2 of 17

ADDENDUM “A”

Questions and Answers for Specification No. 18-11195-C CYBER RESILIENCE PLAN

The City of Berkeley has received questions from some potential respondents regarding Specification No. 18-11195-C, CYBER RESILIENCE PLAN

In an effort to provide the same information to all, listed below are the questions received to date, with responses from City staff. Q1: Is there an incumbent for this project? A1: No. Q2: What is the maximum budget allocated for this project? A2: The City has researched cost estimates and has budgeted accordingly. Please provide your best proposal. Q3: How many candidates is City of Berkeley expecting for this project? A3:The Project is open to all vendors who are interested in responding and meet the criteria defined in the RFP.. Q4: What is the maximum duration and number of hours required to complete this project? A4: Hours are unspecified. Please refer to the timeline in the RFP for completion milestones and dates. Q5: Can the city please share what the not-to-exceed budget is for this project? A5: Please see answer to Q2. Q6: Do you have a sample contract we can review? A6: The sample contract for Consulting (Professional) Services Contract is available online: https://www.cityofberkeley.info/Finance/Home/Current_Bid_and_Proposal_Opportunities.aspx All potential vendors should accept all terms and conditions of this boilerplate. Q7: "Our California clients have been pretty much in the technology and health care space, and we have done a lot of work with HIPAA, FISMA and various NIST guidance and frameworks. I saw in the selection criteria of your RFP that you would like to see references from prior California government clients and references count for 10 points. We will have no problem providing 3 or more references but we have no government contracts in California or elsewhere. It's possible we could partner with another organization with such prior experience, but I wonder if you think that would end up being a disqualifier? A7: Past government contracts and references are not required. Q8: Is the IT organization centralized or decentralized?

Page 3 of 17

A8: Centralized. Q9: Has a security control framework been adopted? If yes, which one? A9: Proposing and justifying a security control framework would be a deliverable under the Policy and Rationale focus area. Q10: Are there documented policies, procedures, standards, and guidelines in place? If so, how many? A10: There is an omnibus policy in place. Proposing and justifying a portfolio of policies, procedures, standards, and guidelines would be a deliverable under the Policy and Rationale focus area. Q11: Does the City require a review of its IT policies and procedures? A11: Yes, the review of IT policies and procedures is within the scope. The vendor may propose within their project plan their work sizing recommendation on reviews, including their method for Milestone #1 “As Is” Assessment. Q12: How many staff will require interview for Milestone #1? A12: The City anticipates interviews with stakeholders in the 14 City departments and the vendor may propose within their project plan their work sizing recommendation on interviews, including their method for Milestone #1 “As Is” Assessment General Q13: The duration for the work effort listed in the RFP appears to be about 3 months.

o Does the city see this as a one / two / three person effort? o Based upon the complexity, does the city estimate this as 200-500 hours, 500-

1000 hours, 1000-2000 hours, 2000+ hours of work effort? (This will help quantify the level of depth / work effort being requested)

A13: The vendor should propose their project plan, including their anticipated staffing/sizing based upon their expertise and past experience with similar organizations. Q14: Does the work being requested fall under the Professional - Semiprofessional Business License? A14: Professional.

Q15: The RFP states “The primary facility is Civic Center, plus approximately 36 remote sites”.

o Is the respondent going to need to visit all sites? o Are the staff being interviewed collocated or spread out at the 36 remote sites?

A15: Yes, the scope includes the Civic Center and all remote sites and its cyber-resilience “As Is” status and “To Be” needs is required for these respective milestones. How the vendor intends to document both should be proposed within their project plan.

Page 4 of 17

Q16: The RFP States “DoIT is staffed by 43 FTE City employees currently organized within five teams: (a) 311, (b) business and (c) enterprise applications, (d) department administration, and (e) IT operations and security.”

• Do each of the five teams follow a single security policy set or is each team operating independently from a security perspective?

• Will a single report be acceptable or is a separate report / section required for each team? A16: Please see answers to Q8 and Q10. A single report/section within the respective milestones is OK .

Milestone 1

Q17: The RFP States: “Evaluate the City’s current cyber resilience posture, capabilities and technology environment, including services provided, cybersecurity and application portfolio, infrastructure tools, organizational readiness, funding, product lifecycles, and service methodology;

• Can the city provide a detailed list of the current technology environment? • Can the city provide a detailed list of the current services provided? • Can the city provide a detailed list of the current application portfolio? • Can the city provide a detailed list of the current infrastructure tools?

A17: Existing inventories will be made available to the vendor that is awarded the contract. The currency and level of detail of same could be a discovery identified by Milestone #1. Explicit expectations on same should be specified by the submitter within their proposal. Q18: The RFP States: “Prioritize and rank existing staffing, resources, services and programs – business, DoIT and cyber resilience – based on their ability to achieve the City’s vision in conjunction with and in support of the City’s adopted plans – GIS Master Plan, DSP, Strategic Plan, etc.;

• Can the city provide the number of staff that need to interviewed, prioritized and ranked? • Can the city provide the number of types of resources, services and programs that need to

reviewed, prioritized and ranked? A18: Please see answer to Q12. Q19: The RFP States: “Evaluate the City’s current operations and governance, as well as organizational structures, budget, policies and vehicles to ensure that these best meet the City’s cyber resilience needs through the most appropriate organizational units, processes, contract provisions, service agreements, resource allocations, employee staffing and development, and reporting relationships; and

• Can the city provide standards and regulations that are being addressed in the current governance program?

• What is the current security organization structure? • What is the current security budget? • Are current security policies in place and followed? • Describe some current vehicles in place for security?

Page 5 of 17

A19: Existing documentation will be made available to the vendor that is awarded the contract. The vendor should propose within their project plan their expectations and methods for evaluating these items. Q20: The RFP States: “Meet with individual City’s Department Directors and their key staff members including IT staff members to determine cyber resilience gaps, potential milestones, timing gates and dependencies, cultural dimensions/needs, and other desired needs;

• Approximately, how many individuals are to be interviewed? (5-10, 10-20, 20-30, etc.) A20: Please refer to the answer to Q12. The list of Department Directors is a public record available through the City of Berkeley website. Milestone 1: Deliverable 1

Q21: The RFP States: “This includes results from the desired “end state” interviews and data gathering. A cyber resilience needs assessment that considers the culture, business expectations and business needs of the organization, including the operations in the field. The Assessment will discuss cyber resilience objectives and requirements of each Department as well as opportunities for incorporation of existing activities, staff, systems, resources, plans, vehicles, and of supporting emergency and disaster response capabilities into the cyber resilience strategic plan and roadmap.”

• Please describe the level of details required in the deliverable? High-Level, Medium-Level, Extensive Details.

• Please describe the expected level of detail for the roadmap? • This is the first time the RFP Milestone 1 mentions supporting emergency and disaster

response capabilities into the cyber resilience strategic plan and roadmap”. Is this data also expected to be fully evaluated in this milestone?

A21: Section II Scope of the RFP provides the details and the deliverables expected for the roadmap in order to define and execute the 5-year roadmap. For the level of detail, the vendor may want to refer to Digital Strategic Plan (DSP) https://www.cityofberkeley.info/IT/Home/IT_Digital_Strategic_Plan___Roadmap.aspx and its level of detail in developing their proposal. The Page 3 of the RFP refers to the support for emergency and disaster response. The data needs to be evaluated to the degree that cyber resilience impacts “technology’s role in enabling continuity of government as well as the delivery of a smart-city services.” Please refer to the fourth of the five focus areas of the Plan. Milestone 2

Q22: The RFP States: “Prioritize cyber resilience objectives, requirements and milestones across the five (5) focus areas of the five (5) years of the CRP based on the City’s current and proposed business needs, goals and plans, and evaluate alternative approaches and means for meeting those needs;”

Page 6 of 17

• For Milestone 2 are we to only focus on the five (5) focus areas and not incorporate results form other areas in Milestone 1. (If so, they two milestones can be performed in parallel)

A22: The scope of this work effort is restricted to the five (5) focus areas of the cyber resilience plan (or “Plan”). Both Milestone #1 (“As Is” Assessment) and Milestones #2 (“To Be” Planning) are expected to be conducted and structured with respect to the five (5) focus areas of the Plan and its Deliverables. The vendor proposal must include their approach to conduct each milestone as well as conduct a gap analysis between the “As Is” and “To Be” in order to produce the Deliverables of the Plan across the five (5) focus areas Q23: The RFP States: “Identify and rank known cyber resilience concerns, objectives, requirements and milestones that cannot be addressed within the scope of the initial CRP for inclusion in follow-on CRPs;”

• Are these items identified during Milestone 1 that cannot be incorporated in the five (5) focus areas?

• Please describe a situation where these areas may not be able to be incorporated? (e.g., not in budget)

A23: The scope of this RFP is restricted to the five (5) focus areas of the cyber resilience plan (or “Plan”). The Vendor may identify in their proposal categories of items that they do not consider within the scope of the five (5) focus areas, but which they deem are pertinent to such a cyber resilience plan. All gaps discovered between the “As Is” and “To Be” states will either be incorporated into the roadmap as an item that will be accomplished during its timeframe or will be assigned and ranked for inclusion in follow-on Plans. Three (3) examples of items that would be so “tabled” / assigned are:

• The overall ranking of the item and its inherent or associated dependencies is not high enough to accomplish within the initial Plan.

• The technical or operational maturity needed to establish or accomplish the item and its inherent or associated dependencies is not anticipated to be sufficient within the timeframe of the initial Plan.

In either case, prerequisites of the “tabled” item could necessarily be incorporated within the initial Plan. For example, items of multi-year work efforts (e.g., from proof-of-concept to pilot projects to initial business as usual (BAU) capability, etc.), or the extension and expansion of capabilities (e.g., from North-South monitoring to end-to-end East-West visibility to fused IT and OT awareness). The Vendor must develop a plan with key milestones including the order of the dependencies and estimated budget. City will incorporate the future implementations as part of their budgeting process and operational needs. The City’s mission statement includes “initiate innovative solutions” and “do so in a fiscally sound manner”. Q24: The RFP States: “Identify and estimate the initial implementation as well as ongoing lifecycle requirements in level-of-effort, skills, personnel and budget over the first five-years, as well as the value propositions and What’s In It For Me (WIIFM) factors for each recommended

Page 7 of 17

cyber resilience need. Assess the viability of the existing budget, personnel and organizations to accomplish the intended posture and maturity of the program by the end of the first five (5) years. Additionally, identify and estimate any increases over a baseline business-as-usual (BAU) threshold in operational costs for personnel and budget requirements of each recommended cyber resilience need for out-years (years six (6) through ten(10)); and”

• Are magnitude estimates sufficient or will contacting security product vendors be required in order to acquire estimates?

A24: The vendor proposal should specify the method that the vendor will use and provide estimates within their completion of the milestone. City will follow its purchasing policies and procedures to contact future vendors as the projects in roadmap are approved and funded. Q25: The RFP States: “Document and present findings and recommendations in a comprehensive five (5) year strategic plan with a swim lane diagram for each focus area and roadmaps with milestones, dependencies, resources and actions both within each focus area and across the whole strategic plan. Additionally, document known concerns, objectives, requirements and milestones that the City of Berkeley should anticipate needing to address within any succeeding cyber resilience plan (e.g., for years six (6) through ten (10)) or one that extends and expands upon this plan and roadmap.”

• Is the presentation detailed in this section different from the request in Milestone 2: Deliverable 4? The invoice section seems to tie these two items together.

A25: The section quoted applies to Deliverable #2. Please see the section of the RFP on Deliverable #2 that immediately follows the quoted section. The items produced with deliverable #2 are the draft version of the documents expected in preparation of Deliverable #4. The presentation would be by the vendor to the appropriate City of Berkeley employees for evaluation of the draft prior to producing any final version of the Cyber Resilience Plan, Implementation Roadmap, and Executive Summary. Milestone 2: Deliverable 2

Q26: The RFP States: “A successful CRP is one that the City Manager, the Director of IT and the Information Security Manager, Department Directors and their key staff members are proud to put forward to the Council for approval and to the City’s members and community for buy-in and fulfillment. And, which the CityManager, the Director of IT and the Information Security Manager, Department Directors and their key staff members readily execute over the life of the roadmap.”

• Is the delivery of the report the trigger to invoice? A26: The Vendor must include a preliminary project plan including deliverable. The invoicing criteria needs to be deliverable based and fixed cost for each deliverable. The City will work with the selected vendor to include the deliverables and invoicing details as part to the final contract. Milestone 2: Deliverable 3

Q27: The RFP States: “A preparatory organizer for the target audience that, above all The final plan and roadmap will include the agreed recommendations specified in such a manner that the

Page 8 of 17

City Manager, the Director of IT and the Information Security Manager, Department Directors and their key staff members will be able to expeditiously complete and coordinate its implementations, projects and work efforts, achieving its milestones and objectives on time and on budget.”

• Who is the audience of the Executive Summary • Is the Executive Summary a standalone document or the initial portions of the prior

reports • Is this required to be technical report or an extremely polished report including having

graphical artists / technical editors / etc.? • Is the presentation detailed in this section different from the request in Milestone 2:

Deliverable 4? The invoice section seems to tie these two items together. • Is the delivery of the report the trigger to invoice? • The invoicing section says this will be paid upon acceptance (i.e., not on

delivery). Please describe the acceptance criteria? A27: Please refer to the answers to Q25 and Q26. Milestone 2: Deliverable 4

Q28: The RFP States: “

Presentation of Final Cyber Resilience Plan – see above. Presentation of Final Implementation Roadmap – see above. Presentation of Executive Summary”

o Are these three separate presentations or will they all be conducted together at one time? o How many times will each item need to be presented? o Who is the audience of these presentations? o Will the presentations be scheduled within 5-10 of report delivery? o Are these presentations during normal business hours or after hours? o The invoicing section says this will be paid upon acceptance (i.e., not on

delivery). Please describe the acceptance criteria? A28: The vendor proposal should identify whether they intend to present all three final documents in a single session or across multiple sessions (individually or together). All sessions will be conducted within normal City of Berkeley business hours. IT schedules formal presentation to the City Council based on council dates. Regarding acceptance criteria: (1) this is located in V. Payment – bullet point #4. (2) As to the criteria, please see Section II, Deliverable #3 of the RFP. (3) For reference on the level of detail that’s expected, the vendor may also want to refer to Digital Strategic Plan (DSP) https://www.cityofberkeley.info/IT/Home/IT_Digital_Strategic_Plan___Roadmap.aspx and its level of detail. (4) Please refer to the answers to Q25 and Q26. Invoicing: Q29: The RFP States: “

15 % Upon contract execution 30 % Upon Completion of Deliverable #1 “As Is” Assessment

Page 9 of 17

Completion and initial results from the Desired “To Be” State interviews and data gathering

20 % Upon Completion of Deliverable #2 Presentation of Draft Cyber Resilience Plan and Roadmap

20 % Upon Acceptance of Deliverable #3 Presentation of Draft Executive Summary

15 % Upon Acceptance of Deliverable #4 Presentation of Final Cyber Resilience Plan Presentation of Final Implementation Roadmap Presentation of Executive Summary”

This invoicing section essentially keeps 35% of the bill until the end of the project and unpaid until presentations take place. Is the city open to other invoicing terms that are more tied to the work performed than waiting for presentations to take place and undefined acceptance criteria?

A29: Yes. Q30: Should the RFP response be prescriptive to the requirements listed or should we include additional services OpenSky feels strongly about to help accomplish the goals? A30: Please refer to the answer to Q23. Q31: Although not specifically called out in the RFP, would any of the following be in scope as part of the Cybersecurity Assessment?

Small Sized Phishing Test Capability Assessment of Distributed Denial of Service (DDOS)

A31: Please refer to the answer to Q23. Q32: Can you please clarify how City of Berkeley would like to organize the project? Usually when planning projects which are gap analysis OpenSky likes to break out the work into “As-Is” – Current State, “To-be” – Desired State, “gap analysis” – What are the gaps between where we are and where we want to be, and Action Planning – “How do we get there” stages. OpenSky feels the most effective and efficient use of time is to prioritize after understanding, Level of Effort, Risk and Interdependency. This may be semantics and is simply a bigger “To-Be” encompassing the GAP analysis and Action Planning Stages; however, OpenSky wants to address City of Berkeley’s needs as best as possible and get clarification on this. A32: Vendors should include in their description of Milestone #2 sub-stages that they consider important to further defining “how we get there” within Deliverable #2 – Cyber Resilience Plan (CRP) and Implementation Roadmap. Vendors simply identify or group such sub-stages within their proposed project plan. Q33: Is a detailed project plan required for the response or are you looking for milestone / summary level? A33: The proposal should specify the project plan at the level that the vendor deems appropriate.

Q34: Is it acceptable to make changes to any of the wording in any of the attachments? A34: No.

Page 10 of 17

Q35: Do you have a project management office that we will work with or would you like us to quote project management services as well? A35: The City of Berkeley will assign appropriate staff needed to the project. The proposal should specify whether the vendor intends to quote for project management services within their delivery team. Q36: Does the City of Berkeley have or plan to have reciprocal resiliency agreements with the County, with neighboring municipalities, or with the State of California? A36: Yes.

Q37: A resiliency framework for data security needs to be able to correctly interpret legitimate requests for sensitive data, and effectively deny unauthorized requests. Does the city use or foresee an arbiter function to vet data requests beyond simply authentication? This is related to the Data Transparency, Data Privacy and Data Security commentary where certain types of data may need to be governed by the context of the data request in addition to the identity of requesting party. A37: Yes.

Q38: For Business Continuity Planning purposes and Recovery Time Objective (RTO) and Recovery Point Objective (RPO) metrics defined by the City or by the individual data stakeholders? If the individual stakeholders, how is that information conveyed to or negotiated with other stakeholders in the system? (Lax RTO/RPO expectations can impact data reliability during an outage). A38: Inventory of stakeholders (supporting and supported) as well as their expected RTO and RPO is a potential item to be evaluated and placed within the roadmap as part of this work effort within focus area #4.

Q39: Is there an intent to provide any programmatic restrictions on any governmental agencies for access to the data in the control of the system? (e.g. Are law enforcement agencies allows to see immigration status information?) A39: Yes. This work effort and its outcomes is intended to enable the City of Berkeley to comply fully with its policies (see RFP discussion of focus area #3).

Q40: For Smart City services, does the City use or plan to use vehicle tracking for city-operated vehicles? Does this apply to private vehicles as well for traffic management functions? A40: Smart City transportation – city operated vehicle and traffic management functions would be included within the Cyber Resilience Plan (CRP) and Implementation Roadmap.

Q41: Will municipal, private local or regional transportation traffic information (schedules, congestion, issues and alerts) be included in the Smart City services? A41: Please refer to the answers to Q40 and Q42.

Q42: Is there any intent to allow the public, businesses or entities external to the City of Berkeley access to information through the City’s networks? A42: The City of Berkeley has an extended enterprise that includes public and private entities.

Page 11 of 17

Q43: Should the City’s cyber resiliency plan include input from or interaction with City infrastructure systems (e.g. SCADA, Industrial Control, Building Automation and related sources? A43: This is a potential item to be evaluated and placed within the roadmap as part of this work effort.

Q44: Should the City’s cyber resiliency plan include input from or interaction with City mobile resources and IoT devices? A44: Yes. Q45: How many servers support the IT infrastructure? How many are virtual servers versus physical servers? Do these servers reside in a central data center or is an infrastructure cloud service provider utilized? If a IaaS provider is used please outline what types of systems are cloud based versus on premise infrastructure. A45: The City of Berkeley is equivalent to a medium sized business. The City’s Enterprise System Catalog is available on the City’s website (https://www.cityofberkeley.info/IT/Home/Enterprise_System_Catalog.aspx). Specific inventories of IT resources will be provided to the winning bidder.

Q46: Do all employees have some form of Information System access? Are there varying types of access such as Active Directory, VPN, and Kiosk? If so, list out the various types of access for the employees. A46: Please refer to the answer to Q45.

Q47: Does the City support it's IT infrastructure using in-house staff? If some portion of the support infrastructure is outsource, which components are outsourced? A47: The Department of Information Technology is responsible for City’s IT Infrastructure.

Q48: Does the City allow users to "Bring Your Own Device"? A48: The City of Berkeley is subject to the California Public Records Act (CPRA). Currently, the City does not allow BYOD and City work is conducted on city issued devices.

Q49: Does the City host any externally facing web sites or applications? If so, how many applications are hosted. Are these hosted by a third party or are they hosted in a City data center? A49: Yes, the City of Berkeley Enterprise System Catalog includes both self-managed and hosted applications and websites. Please refer to the answer to Q45.

Q50:Are policies and procedures for both security and operations well documented? A50: Please refer to the answer to Q10.

Q51: Is the City utilizing any form of collaboration technologies such as SharePoint, Google Drive, One Drive for Business, DropBox, etc.? A51: Yes. Please refer to the answer to Q45.

Q52: Does the City have a time table for which they would like to have the project completed by? Additionally, to they have some expectation of the duration of the project?

Page 12 of 17

A52: Please see section VIII (SCHEDULE) of the RFP.

Q53: Is there any review of network architecture, wireless network layout and segmentation, or IT enterprise architecture in scope? A53: Please refer to the answer to Q23. The vendor may propose within their project plan their work sizing recommendation on such reviews, including their method for Milestone #1 “As Is” Assessment.

Q54: Is a detailed risk assessment of applications and the environment to be performed? If so, how detailed of a risk assessment should be performed on the critical business applications? Can the City elaborate on their expectations in this area? A54: Please refer to the answer to Q23. The bidder may propose within their project plan their work sizing recommendation on detailed risk assessment of applications and the environment, including their method for Milestone #1 “As Is” Assessment.

Q55: The RFP mentions several standards, which standards does the City mention consider most important such as NIST, COBIT, ISO, etc. A55: No framework standard is mentioned in the RFP.

Q56: Will the Consultant be permitted to use automated vulnerability scanning tools to review the servers, workstations, firewalls, and network devices in addition to manual review procedures to assist in identifying risks? A56: Please refer to the answer to Q23. Q57: What’s the city’s flexibility on the delivery of the project beyond the deadline of October 1st, 2018 (due to scope of project we recommend an end date of January 1, 2019)? A57: From section II: “This is a firm deadline due to the timing of the City’s 2020 - 2022 budget process.”

Q58: What Written Information Security Program and Policy needs to be updated and/or created as a part of the Cyber Security Resilience Plan? A58: Please refer to the answer to Q10. Please see also sections in the RFP which describe focus area #3: Policy and Rationale. The submitter may propose within their project plan their recommended work tasks on reviews for Milestone #1 “As Is” Assessment.

Q59: What kind of Incident Response Plan should be modified and/or created as a part of the Cyber Security Resilience Plan? A59: The vendor may propose within their project plan their recommended work steps on reviews for Milestone #1 “As Is” Assessment.

Q60: Do you have any cyber security training in place, and if so, what is the extent of the training? A60: Yes. Please refer to the answer to Q45.

Q61: What kind of compliance exposures are you aware of in addition to those listed on the RFP

Page 13 of 17

(PII, HIPAA, PCI? A61: Contractual/MOU/MOA obligations, City Ordinances, CJIS, and CPRA and other Federal and State Laws.

Q62: What PCI level / how many transactions annually? (L1: 6 mill+; L2: 1-6 mill; L3: 20k-1 mill; L4: 0-20k) A62: L2.

Q63: Regarding HIPAA compliance - how many beds and/or how many clinician offices? A63: This information is publically available through the City of Berkeley website. Please refer to https://www.cityofberkeley.info/dhs/.

Q64: Regarding HIPAA compliance - what kind of practices and total count of practice areas? A64: Please refer to the answer to Q63.

Q65: What kind of compliance framework are you required to use? (if any) - NIST 7621r1, NIST 800-53 or ISO? A65: Please refer to the answer to Q55 and Q61. Please also see the discussion within the RFP on focus area #3: Policy and Rationale.

Q66: When was the last date of security assessment and what kind of assessment was it? A66: Please refer to the answer to Q59.

Q67: When was the last time you conducted a physical security vulnerability assessment? A67: Please refer to the answer to Q59.

Q68: What kind of information security policies exist? A68: Please refer to the answer to Q45.

Q69: What incidents have occurred in your environment (if you are able/willing to disclose)? A69: Please refer to the answer to Q45. Please also see section I (INTRODUCTION) of the RFP.

Q70: Do you have any cyber security insurance or are you in the process of purchasing cyber security insurance? A70: Yes, City has Cyber Insurance and the vendor will be expected to review the coverage and provide recommendations

Q71: How many sites/buildings do you have and are their networks completely visible across the WAN? A71: Please see section I (INTRODUCTION) of the RFP.

Q72: Who is your WAN service provider(s) and what service are you contracting? A72: Please refer to the answer to Q45.

Q73: How many 3rd-party MPLS, PTP, or other non-VPN entry points do you have? Specify if HSRP or VRRP in notes. A73: Please refer to the answer to Q45.

Q74: What kind [of] teaming agreements or service provider agreements do you have in place

Page 14 of 17

today with confidentiality clause? A74: Please refer to the answer to Q42.

Q75: What 3rd-party services or subscriptions are you considering that might reduce your overall network footprint? A75: Please refer to the answer to Q42.

Q76: What 3rd-party networks are overlaid on your corporate networks? Item #1 - Please provide diagram or contract. A76: Please refer to the answers to Q42 and Q45.

Across all City of Berkeley sites in scope (Questions 77-94): Q77: How many routers? A77: Please refer to the answer to Q45.

Q78: How many switch stacks or virtual chassis type stacks are in use? A78: Please refer to the answer to Q45.

Q79: How many wireless controllers? if 'cloud' please list provider name as short answer A79: Please refer to the answer to Q45.

Q80: How many IP manageable firewalls (please include virtual firewall counts)? A80: Please refer to the answer to Q45.

Q81: How many server iron builds? A81: Please refer to the answer to Q45.

Q82: How many virtual machines running and whaty type (VmWare, HyperV)? A82: Please refer to the answer to Q45.

Q83: How many server instances running on your VMs? Please provide list with OS types if plausible. A83: Please refer to the answer to Q45.

Q84: How many dektops/workstations? A84: Please refer to the answer to Q45.

Q85: How many global catalog servers and how many domain controllers? A85: Please refer to the answer to Q45.

Q86: How many domains? A86: Please refer to the answer to Q45.

Q87: What kind of syslog or central log is in use today for your network, firewall, controller, etc assets? A87: Please refer to the answer to Q45.

Q88: What network monitoring, performance, and change management are in place today? A88: Please refer to the answer to Q45.

Page 15 of 17

Q89: What future growth or major business changes are planned which may impact your network? A89: Please see section I (INTRODUCTION) of the RFP.

Q90: How many email/compute users? A90: Please refer to the answer to Q45.

Q91: How many employees does the company employ (all workers)? A91: Please refer to the answer to Q89.

Q92: How many IT personnel? A92: Please refer to the answer to Q89.

Q93: How many Wireless Access Points? A93: Please refer to the answer to Q45.

Q94: How many SSIDs exist on your wireless network and what is [the] function of each SSID? Provide business function list if applicable? A94: Please refer to the answer to Q45.

Additionally submitted questions

Q95: Can we get a copy of Berkeley’s DSP A95: Electronic copies of the Digital Strategic Plan (DSP) are available on the Department of IT webpage accessible through the City of Berkeley website. Please refer to the answer to Q21 for a link.

Q96: What Cyber protection plans, services, equipment are already in place? A96: Please refer to the answers to Q9, 10, 11, 17, and 19.

Q97: Will the City accept bids from Multiple organizations where one is prime and one is secondary? A97: Yes. Please see the answer to Q7.

Q98: RE payment mile stones – does “presentation” mean actual formal presentation in Council and / or other meeting venues, or is delivery to IT Director considered “presentation”? A98: Please refer to the answers to Q25, 26, 28, and 29.

Q99: Is there a budge established and authorized for this project, and if so, what is the budget? A99: Please see the answer to Q2.

Q100: How “tight” do budgetary numbers need to be, is a 20% budgetary number acceptable given the aggressive timeline and hard stop due date?

Page 16 of 17

A100: Please see the answer to Q2.

Q101: Is there any flexibility in the deadline of Oct. 1st, 2018, A101: Please see the answer to Q57.

Except as provided herein all other terms and conditions remain unchanged. Schedule Update on Next Page

Page 17 of 17

SCHEDULE (dates are subject to change)

Issue RFP to potential bidders: 02 March 2018

Questions Due 11 April 2018

Answers to Questions Published on Website 26 April 2018

Proposals due from potential bidders 08 May 2018

Complete Selection Process 10 May 2018

Council Approval of Contract 12 June 2018

Award of Contract 13 June 2018

Sign and Process Contract 29 June 2018

Notice to proceed 02 July 2018

Project Kick Off 09 July 2018

Estimated Project Completion 01 October 2018

Except as provided herein all other terms and conditions remain unchanged.