1 | P a g e

THE CITY OF NEW YORK POLICE PENSION FUND

REQUEST FOR PROPOSALS

TITLE: Virtual Chief Information Security Officer (vCISO) Services

PIN #: 2562201vCISOS

TABLE OF CONTENTS: PAGE # SECTION I TIMETABLE 2 SECTION II SUMMARY OF THE REQUEST FOR PROPOSALS 3-5 SECTION III SCOPE OF SERVICES 6-8 SECTION IV FORMAT AND CONTENT OF THE PROPOSAL 8-11 SECTION V PROPOSAL EVALUATION AND CONTRACT AWARD PROCEDURES 12 SECTION VI GENERAL INFO RMATION TO PROPOSERS 13 APPENDIX A GENERAL PROVISIONS GOVERNING CONTRACTS FOR CONSULTANTS, PROFESSIONAL, TECHNICAL, HUMAN AND CLIENT SERVICES ATTACHMENT A PROPOSAL COVER LETTER ATTACHMENT B ACKNOWLEDGEMENT OF ADDENDA ATTACHMENT C DOING BUSINESS DATA FORM ATTACHMENT D WHISTLEBLOWER PROTECTION EXPANSION ACT RIDER ATTACHMENT E IRAN DIVESTMENT ACT COMPLIACE RIDER ATTACHMENT F SUB-CONTRACTING COMPLIANCE NOTICE AUTHORIZED CONTACT PERSON

Proposers are advised that the Authorized Agency Contact Person for all matters concerning this Request for Proposals is:

Name: Latonia Harris Title: Director of Procurement Mailing Address: New York City Police Pension Fund 233 Broadway, 25th Floor New York, N.Y. 10279 Telephone #: 212 693-5068 Fax# 212 693-2715 E-Mail Address: lharris@nycppf.org

2 | P a g e

SECTION I - TIMETABLE A. Release Date of this Request for Proposals: July 13, 2021 All questions and requests for additional information concerning this RFP should be directed to Latonia Harris, the Authorized Agency Contact Person, at: Telephone #: 212 693-5068 E-Mail Address: lharris@nycppf.org B. Pre-Proposal Conference: GOTOMEETING Date: August 5, 2021 Time: 10am – 11am EST

Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/591331301 You can also dial in using your phone. (For supported devices, tap a one-touch number below to join instantly.)

United States: +1 (872) 240-3311 One-touch: tel:+18722403311, 591331301# Access Code: 591-331-301

New to GoToMeeting? Get the app now and be ready when your first meeting starts: https://global.gotomeeting.com/install/591331301 Attendance/participation by proposers is optional but highly recommended by the Fund. C. Submission of Questions

The Fund will give proposers an opportunity to submit questions regarding content detailed in the Scope of Services that may need clarity, all questions must be submitted no later than August 2, 2021, 12pm EST. Responses to all questions will be released on: August 9, 2021

D. Proposal Due Date and Time and Location: Date: August 23, 2021 Time: 11:00am Email Address: Procurement@nycppf.org

All Proposals must be submitted via email to the Fund’s Procurement email box Procurement@nycppf.org. Due to COVID-19 hardcopies are not required to be mailed into the Fund. Proposals received after the Proposal Due Date and Time are late and shall not be accepted by the Fund, except as provided under the New York City’s Procurement Policy Board Rules. The Fund will consider requests made to the Authorized Agency Contact Person to extend the Proposal Due Date and Time prescribed above. However, unless the Fund issues a written addendum to this RFP which extends the Proposal Due Date and Time for all proposers, the Proposal Due Date and Time prescribed above shall remain in effect.

E. Anticipated Contract Start Date: To be determined. SECTION II - SUMMARY OF THE REQUEST FOR PROPOSALS

3 | P a g e

A. Information about the Fund The New York City Police Pension Fund (NYCPPF or the “Fund”) is dedicated to providing superior service to its 37,000 active members and 49,000 retired members of the New York City Police Department. The Fund was incorporated and commenced business on March 29, 1940. This incorporation succeeded the Police Pension Fund Article 1, established for uniformed members of the NYPD prior to 1940. By legislation enacted in 1995, Article 1 was merged into the Fund. In 2001, legislation provided Corpus Funding for the Fund to begin operations in September, 2002 at its new location at 233 Broadway in New York City. The Fund is governed by the Board of Trustees consisting of labor and city representatives. The Comptroller of the City of New York is Custodian of the funds of the System, and by delegation of the Board of Trustees, has the power to invest those funds. The Executive Director is the chief administrative officer of the agency. The Chief Actuary for the City of New York provides actuarial services to the Fund. The Office of Corporation Counsel provides legal services to the Fund.

The Fund is a defined benefit plan that manages the Fund’s invested assets and pays out benefits according to formulas set forth in New York State and New York City laws. In general, Tier 1 and 2 members are governed by Title 13 of the New York City Administrative Code (“AC NY”), and Tier 3 members are governed by Article 14 of the New York State Retirement and Social Security Law (“RSSL”); both are governed by the Rules of the Fund and certain other applicable statutes. B. Purpose of RFP The purpose of this RFP is to procure and implement the services of a virtual Chief Information Security Officer (vCISO), including email, phone, and on-site support. The vCISO services will consist of executive-level consulting and information security expertise, akin to that which would be provided by a full-time, in-house Chief Information Security Officer. Procuring the services of a vCISO is part of an overall Cyber Security program enhancement project. The selected vCISO will be contracted to build the Fund’s cyber security program. C. Current Business and Technical Environment The Fund currently has a small IT team of 12 employees that support a 170 person organization with one primary location and a disaster recovery (DR) location. The IT team is responsible for IT Ops, Information Security, software development, DBA activities and help desk support. As a small IT team, staff are required to wear many hats and support multiple ongoing projects in parallel as well as daily, weekly, monthly, operational tasks. The Fund is currently in the midst of a multi-year, multi-phased rollout of its pension administration software development for the Comprehensive Officers Pension System (“COPS”) 2.0 project. While the management of this project lives outside of the IT organization, many of the IT personnel are deeply involved in this project for infrastructure support, data migration/conversation activities, and interface development. Environment The Funds network infrastructure is a Wide Area Network that contain to data centers. One at headquarters and the second at a share data center in Staten Island. The data center running the production servers is the Staten Island location. The two sites are connect via dedicated EPL fiber optic cable. Both locations have identical server hosting equipment and SAN disk arrays. Data SAN are kept in near real-time synchronization. Our

4 | P a g e

headquarters has 200 desktops and Staten Island location has 50 desktops. Each location has two core Cisco switches and all server are connected to both switches for failover. Software Catalog Software Name Version Vendor Oracle DB Oracle Forms

Oracle Database 10g R2 Oracle Forms 10.1.2.0.2

Oracle

Adobe Acrobat Ver: 12 Pro Adobe webConnect Ver: 9.1.1 WSUS Windows 2012 R2 ver 6.3.9600.18694 Microsoft Exchange 2013 with CU 23 Microsoft Backup Exec / Data Domain

Backup Exec 21.1 DataDomain-DD250 OS:6.02.30-606339

Veritas

Windows Cluster Host Server

Windows 2012 Microsoft

Windows Hyper-V Ver: 6.2.9200.16384 Microsoft Solomon Microsoft Dynamics SL 2015 Microsoft Kofax Kofax Capture 11

Kofax Front Office Service 4.1 Kofax

McAfee Ver: 8.8 with Patch 16 McAfee Docushare Ver 7.0.0.C1.609 Xerox MailMeter Ver 7.0.0.10 Waterford CrowdStrike Windows: 6.21.13510.0

Linux 6.20.0.11707 CrowdStrike

VMware ESXI 6.5 VMware Barracuda SMTP Model 300 Firmware Ver: 9.0.0.005 Barracuda Barracuda web Filter Model 610 Firmware Ver: 15.0.0.009 Barracuda Current State

1. IT Ops Policies and Procedures need to be reviewed and updated. 2. Additional human capital is needed to support information security program. 3. Our current enterprise security architecture is outdated for today’s evolving cyber threat landscape. It was

developed 20 years ago. 4. Vulnerability Assessment being conducted by 3rd party vendor. 5. Current security tools while providing key value have limited visibility across network:

a. McAfee – End point Antivirus/Malware Detection b. Barracuda SMTP, eMail scanning SasS c. Crowdstrike – End point monitoring – managed through NYC Cyber Command

6. The Fund has a security consultant that is contracted to provide security assessments for our Software Implementation project.

Current Pain Points While the Fund has taken steps to strengthen its network infrastructure to minimize cyber threats, we have some key points that must be a focal point of the selected contractor;

1. Limited in-house cyber security analysts and no security engineers to provide analytical and engineering support for program.

5 | P a g e

2. Limited network security visibility with current cyber security resources and tools. 3. Lack of best practice separation of security duties. 4. Need of a comprehensive ISP per NYS guidelines including an incident response plan.

Future State The goals and objectives of this engagement is to: 1. Focus on developing an Information Security posture for the Fund. 2. Reducing the overall risk from cyber threats facing the Fund. 3. Scalable best practices information security framework utilizing Managed Security Services Provider (MSSP) where possible. 4. Improve budget and staffing forecasting with right-sized information security support and services for the Fund 5. Develop a multi-year strategy to fully implement an Information Security Program that supports an adaptive

security architecture for the Fund 6. Improve external partnerships and collaboration such as Managed Security Services Provider (MSSP), Center for

Internet Security (CIS) and Multi-State Information Sharing, Analysis Center (MS-ISAC), and NYC3 cyber security resources and services

D. Anticipated Contract Term It is anticipated that the term of the contract awarded from this RFP will be for two years with three one year renew options. The Fund reserves the right, prior to contract award, to determine the length of the initial contract term and each option to renew, if any. E. Minimum Qualification Requirements The following are the Minimum Qualification Requirements of this RFP. Proposals that fail to meet all of these requirements will be rejected. • The vendor should have a minimum of 10 years’ experience providing information security services to

Government agencies similar in size to the Fund. • The vendor should provide a minimum of five references from municipalities or state governments or

agencies for which similar services were performed. • The vendor must be a US-based company. • The vendor should designate a security specialist who will be the Fund’s main point of contact and will

be available to respond immediately to any questions or issues that arise. • All vendor employees engaged in the project must submit to a security background check by the Fund.

Security specialist qualifications a. The security specialist should have at least 15 years’ experience, including specific experience managing

projects of similar size and scope. b. The security specialist should be a Certified Information Systems Security Professional and Certified

Information Systems Auditor. c. The security specialist must be a US-based employee of the vendor.

SECTION III - SCOPE OF WORK

6 | P a g e

A. Task and Standard Requirements The Fund is looking for a comprehensive and best practice solution to provide virtual Chief Information Security Officer (vCISO) services. The following section details the scope of work and requirements of the Fund , it shall serve as a guide, it is not meant to be inclusive of all task that maybe required to accomplish the Fund’s goals and objectives. Proposers must respond by addressing the all of the requirements listed and are encouraged to propose other task that are deemed necessary to achieve the Fund’s overall objectives. Respond with a description of how you will meet each requirement in the column titled “Proposed Solution”. Your responses will be scored on a points system by the evaluation team. A copy of this table will be available for editing.

Requirement Proposed Solution Own security related initiatives for the COPS 2.0 software

implementation project. This includes being the primary contact for the security consultant and managing the work process for platform security assessment.

1 Participation in executive meetings, including: a. Quarterly IT Steering Committee meetings b. Annual Board of Trustees’ IS presentation c. Development of weekly, monthly, and quarterly metrics

and KPI’s in support of the Fund’s information security services.

2 Information Security Program (ISP) and Information Security Management System (ISMS) based on the New York State Department of Financial Services (NYSDFS) and National Institute of Standards & Technology (NIST) Cybersecurity frameworks to safeguard the confidentiality, integrity, and availability of our data assets and member information. Provide at least one sample ISP and ISMS that would best align to the Fund’s needs.

3 Annual updates to ISP and ISMS.

4 Review of existing IT / IS policies, procedures, and GAP analysis.

6 Security risk assessment, including: a. Segregation of duties matrix b. Assessment of enterprise application portfolio and

development of risk profile c. Risk assessment of auditable technologies and IT

processes, including: • Selection of applicable risk categories • Interviews with business managers and

enterprise application owners • Development of IT risk matrix • Development of three-year IT assessment plan

d. Setup of Annual review and update

7 Directly manage threats, vulnerabilities, and incidents within the information processing infrastructure

• Manage response to NYC CyberCommand Vulnerability notifications. Based on 5 months average, 27 per month.

• Internal information security detections and management of responses

7 | P a g e

8 As part of the overall ISP develop an incident management program Provide at least one sample ISP and ISMS that would best align to the Fund’s needs.

9 Security awareness training program development a. Working with HR, develop Security Training objectives

and identify a platform(s) to deliver training.

10 Networking hardware and configuration review and recommendations

11 Develop network vulnerability assessments and penetration test,

Program including: a. Internal / External assessments b. Periodic penetration test c. Quarterly vulnerability assessments d. Reporting and management of action items

13 Application security assessments, including: a. Traditional enterprise applications b. Cloud applications c. Web and mobile applications d. Management of COPS 2.0 Security Assessments

15 Assess social engineering vulnerability and recommend countermeasures

Develop Information Security vendor management

policies and procedures

Year 1 Major Objective:

Develop and implement an Information Security Program (ISP) and Information Security Management System (ISMS) ) based on the New York State Department of Financial Services (NYSDFS) and National Institute of Standards & Technology (NIST) Cybersecurity frameworks to safeguard the confidentiality, integrity, and availability of our data assets and member information. Establish Cyber Security framework, conduct Information Security gap analysis (Information Security Context and Leadership; Evaluation and Direction, and Compliance, Audit and Review) Develop a 3 year Information Security (IS) roadmap based on analysis and current state. This will include staffing recommendations, roles and responsibilities, budget and timelines. Setup and deliver Information Security communications at a quarterly IT Steering Committee meetings and annual Board of Trustees’ IS presentation

B. Project Assumptions Regarding Contractor Approach The Fund will identify a senior Executive Sponsor to support the engagement. The Executive Sponsor will serve as the point of coordination to engage the Fund’s executive team members at key points during the project. The Fund will identify a Project Manager to provide operational assistance to the consulting team, to identify project participants, and to arrange meetings and associate logistics, etc. The Fund will provide the consultant with timely responses to all requests for information, review, and resources, as well as workspace for the project team with the ability to access vendor systems through the Internet. The Fund will provide access to necessary personnel for data gathering activities, such as interviews to obtain insight into the application development processes and procedures, as well as the nature of the application.

8 | P a g e

Involvement of third parties shall require a third-party agreement to be signed, unless a Service Level Agreement exists and indicates the Fund’s right to audit. This does not include resources owned by the third party on which multiple clients' data or services reside. All work will occur within weekday business hours (i.e.., 8 AM - 5 PM local time). Exceptions will be made for automated data gathering (e.g., vulnerability scanning). The actual Project Plan will based on a delivery schedule, including review activities and presentation dates that will be mutually agreed and confirmed at the start of the project. C. Compliance with Local Law 34 of 2007 Pursuant to Local Law 34 of 2007, amending the City's Campaign Finance Law, the City established a computerized database containing the names of any "person" that has "business dealings with the city" as such terms are defined in the Local Law. For the purposes of the database, proposers are required to complete the attached Doing Business Data Form and return it with this proposal. (If the proposer is a proposed joint venture, the entities that comprise the proposed joint venture must each complete a Data Form.) If the City determines that a proposer has failed to submit a Data Form or has submitted a Data Form that is not complete, the proposer will be notified by the Agency and will be given four (4) calendar days from receipt of notification to cure the specified deficiencies and return a complete Data Form to the Agency. Failure to do so will result in a determination that the proposal is non-responsive. Receipt of notification is defined as the day notice is e-mailed or faxed (if the proposer has provided an e-mail address or fax number), or no later than five (5) days from the date of mailing or upon delivery, if delivered. D. Whistleblower Protection Expansion Act Rider Local Law Nos. 30 and 33 of 2012, codified at sections 6-132 and 12-113 of the New York City Administrative Code, the Whistleblower Protection Expansion Act, protect employees of certain City contractors from adverse personnel action based on whistleblower activity relating to a City contract and require contractors to post a notice informing employees of their rights. Please read Attachment D, the Whistleblower Protection Expansion Act Rider, carefully. E. Compliance with the Iran Divestment Act Pursuant to State Finance Law Section 165-a and General Municipal Law Section 103-g, the City is prohibited from entering into contracts with persons engaged in investment activities in the energy sector of Iran. Each proposers is required to complete the attached Bidders Certification of Compliance with the Iran Divestment Act, certifying that it is not on a list of entities engaged in investments activities in Iran created by the Commissioner of the NYS Office of General Services. If a proposer appears on that list, the Fund will be able to award a contract to such proposer only in situations where the proposer is takings steps to cease its investments in Iran or where the proposer is a necessary sole source. Please refer to Attachment for information on the Iran Divestment Act required for this solicitation and instructions on how to complete the required form and to http://www.ogs.ny.gov/About/regs/ida.asp for additional information concerning the list of entities. F. Subcontractor Compliance Notice The Fund must approve the use of a subcontractor. The selected contractor will be the party primarily liable for the performance of the said approved contractor. No contractual relationship will exist between the Fund and

9 | P a g e

the subcontractor. The Contractor shall be responsible for the management the subcontractors work performance as it relates to quality and timeliness. Please read complete Attachment F, the subcontractor compliance notice as it relates to competitive solicitations.

SECTION IV - FORMAT AND CONTENT OF THE PROPOSAL Instructions: Proposers should provide all information required in the format below. All proposals must be submitted electronically. Pages must be numbered and organized detailed in section A. Failure to comply with any of these instructions will not make the proposal non-responsive. A. Proposal Format 1. Proposal Cover Letter

The Proposal Cover Letter form (Attachment A) transmits the proposer’s Proposal Package to the Fund. It should be completed, signed and dated by an authorized representative of the proposer. 2. Minimum Qualifications Submit a document entitled “Qualification Statement” (QA) that will detail the required information necessary to demonstrate the Minimum Qualification Requirements of this RFP have been met. The QA must address the following questions:

• Name of Company/Individual • Address of Company main office • Business Phone Number and Email Address • Business Structure: ___ Corporation ___ Partnership ___ (Other_________) • Is your company based in the United States? Yes or No • How many years have you been in the business of cybersecurity and/or providing VCIO

Services? • Do you have 10 years of experience providing information security services to Government

agencies similar to the size of the Fund? Yes or No, if yes provide five references from municipalities or state governments agencies for which similar services were performed.

• Specify your relevant registrations, certifications and licenses • Will you designate a security specialist who will be the Fund’s main point of contact and will

that individual be available to respond immediately to any questions or issues that arise during the term of this engagement?

• Affirm that all of the employees designated to work on this project will submit to a security background check by the Fund.

• The security specialist should have at least 15 years’ experience, including specific experience managing projects of similar size and scope. Attach for each key staff position a resume and/or description of the qualifications that will be required. (In addition, provide a statement certifying that the proposed key staff will be available for the duration of the project.)

• The security specialist should be a Certified Information Systems Security Professional and Certified Information Systems Auditor.

• The security specialist must be a US-based employee of the vendor.

Attach copies of resumes, certifications, licenses etc. as proof of meeting the requirements. Proposals that fail to meet all of these requirements will be rejected.

10 | P a g e

3. Technical Proposal

a. The Technical Proposal is a clear, concise narrative which must address the Task and Standards requirements detailed in III Scope Services (refer to the chart above). Provide solutions to the requirements.

Describe the successful relevant experience of the proposer, each proposed sub-contractor if any, and the proposed key staff in providing the work described in Section III of this RFP.

If a subcontractor will be awarded any parts of the task required, your firm must attach a list of at least three relevant references, including the name of the reference entity, a brief statement describing the relationship between the proposer or proposed sub-contractor, as applicable. Include the name, title and telephone number of a contact person at the reference entity, for the proposer and each proposed sub-contractor if any.

b. Organizational Capability

Demonstrate the proposer’s organizational staffing, managerial and financial capability to provide the work described in Section III. • Describe your business structure, how many employees do you have. Are the resources needed for

this project readily available once an agreement is executed • Attach resumes of key employees that will assigned to work with the Fund if you have not already

done so • Describe a backup plan in the event an individual assigned by your firm is unable to complete the

task assigned. How will the services continue uninterrupted? In addition: • Attach a chart showing where, or an explanation of how, the proposed services will fit into the

proposer’s organization. • Attach a copy of the proposer’s latest audit report or certified financial statement, or a statement as

to why no report or statement is available.

4. Price Proposal

a. Compensation / Proposed Payment Structure The Fund’s request for a pricing structure that is based on performance task resulting in tangible deliverables is to ensure that the selected proposer(s) will perform the work under the contract(s) awarded from this RFP in a manner that is cost-effective for the Fund and most likely to achieve the goals and objectives set out above, is as follows: Proposers must provide separate pricing for the following, regardless of whether the items will be bundled or not:

a. Software license costs b. Initial configuration and set-up c. Hosting fees, if applicable and pricing model (by user, enterprise, module, etc.) d. Training costs e. Ongoing technical support/ maintenance costs, by year

11 | P a g e

f. Additional requirements or service g. Optional functionality.

If pricing is tiered, please provide specific listing of services and associated functions and pricing for each tier. State whether the item is optional or a requirement. If a flat fixed fee with incremental billing is proposed, the proposal must be detailed to include hours, line item pricing and performance outcome based payments. The Fund reserves the right to select any payment structure that is in the City’s best interest. 5. Acknowledgment of Addenda The Acknowledgment of Addenda form (Attachment B) serves as the proposer’s acknowledgment of the receipt of addenda to this RFP which may have been issued by the Agency prior to the Proposal Due Date and Time, as set forth in Section I (D), above. The proposer should complete this form as instructed on the form. 6. Other Documents

If your firm is selected, you may be required to submit the following documents: VENDEX Questionnaires, Department of Business Services/Division of Labor Services Employment Report, Prevailing Wage Schedule(s) and/or Tax Affirmation Form.]

B. Proposal Package Contents (“Checklist”) The Proposal Package that must be emailed in response to this solicitation must contain the following materials. Proposers should utilize this section as a “checklist” to assure completeness prior to submitting their proposal to the Fund.

Proposal Cover Letter Form (Attachment A) Qualification Statement -Minimum Qualification Requirements of this RFP. Include all

documents that must be submitted as proof of meeting the requirements. Proposals that fail to meet all of these requirements will be rejected

Technical Proposal – Detail the task and standards required Organization Capabilities Acknowledgement of Addenda form(Attachment B)

THE PRICE PROPOSAL OR ANY MENTION OF THE PRICE MUST NOT BE INCLUDED IN SECTIONS OF THE TECHNICAL PROPOSAL PACKAGE. THE PRICE PROPOSAL MUST BE EMAILED SEPARATELY. Price Proposal Check List Confidential Cost Proposal Cover Page

RFP PIN# Company Name Authorized Contact person name, email address and phone number

Price Sheet – Refer to Section 4 above SECTION V - PROPOSAL EVALUATION AND CONTRACT AWARD PROCEDURES

12 | P a g e

A. Evaluation Procedures All proposals accepted by the Fund will be reviewed to determine whether they are responsive or non-responsive to the requisites of this RFP. Proposals that are determined by the Fund to be non-responsive will be rejected. The Evaluation Committee will evaluate and rate all remaining proposals based on the Evaluation Criteria prescribed below. The Fund’s evaluation committee will review and rate the technical proposals of the proposals that are responsive. The proposals will be ranked in order of highest to lowest technical score and the Fund will establish a shortlist. The price proposals will be reviewed after the technical ratings have been assigned. The lowest best value price proposed will receive the full points allotted. The other proposed prices will be assigned proportional points of the total twenty five. The Fund reserves the right to conduct site visits and/or interviews and/or to request that proposers make presentations and/or demonstrations, as the Fund deems applicable and appropriate. Although discussions may be conducted with proposers submitting acceptable proposals, the Fund reserves the right to award contracts on the basis of initial proposals received, without discussions; therefore, the proposer’s initial proposal should contain its best programmatic/technical and price terms.

B. Evaluation Criteria

• Experience and qualifications 20% • Service alignment to business need 20% • Methodology/approach used 20% • References 15% • Cost 25%

C. Basis for Contract Award A contract will be awarded to the responsible proposer whose proposal is determined to be the most advantageous to the City, taking into consideration the price and such other factors or criteria which are set forth in this RFP. The Contract award shall be subject to the timely completion of contract negotiations between the Fund and the selected proposer(s).

SECTION VI - GENERAL INFORMATION TO PROPOSERS

A. Complaints. The New York City Comptroller is charged with the audit of contracts in New York City. Any proposer who believes that there has been unfairness, favoritism or impropriety in the proposal process should inform the Comptroller, Office of Contract Administration, 1 Centre Street, Room 1005, New York, NY 10007; contract@comptroller.nyc.gov, or at (212) 669-2323. In addition, the New York City Department of Investigation should be informed of such complaints at its Investigations Division, 80 Maiden Lane, New York, NY 10038; the telephone number is (212) 825-5959. B. Applicable Laws. This Request for Proposals and the resulting contract award(s), if any, unless otherwise stated, are subject to all applicable provisions of New York State Law, the New York City Administrative Code, New York City Charter and New York City Procurement Policy Board (PPB) Rules. A copy of the PPB Rules may be obtained by contacting the PPB at (212) 788-0010 or at: http://www.nyc.gov/html/mocs/ppb/html/home/home.shtml.

13 | P a g e

C. General Contract Provisions. Contracts shall be subject to New York City’s general contract provisions, in substantially the form that they appear in “Appendix A—General Provisions Governing Contracts for Consultants, Professional and Technical Services” or, if the Agency utilizes other than the formal Appendix A, in substantially the form that they appear in the Agency’s general contract provisions. A copy of the applicable document is available through the Authorized Agency Contact Person. D. Contract Award. Contract award is subject to each of the following applicable conditions and any others that may apply: New York City Fair Share Criteria; New York City MacBride Principles Law; submission by the proposer of the requisite New York City Department of Business Services/Division of Labor Services Employment Report and certification by that office; submission by the proposer of the requisite VENDEX Questionnaires/Affidavits of No Change and review of the information contained therein by the New York City Department of Investigation; all other required oversight approvals; applicable provisions of federal, state and local laws and executive orders requiring affirmative action and equal employment opportunity; and Section 6-108.1 of the New York City Administrative Code relating to the Local Based Enterprises program and its implementation rules. E. Proposer Appeal Rights. Pursuant to New York City’s Procurement Policy Board Rules, proposers have the right to appeal Agency non-responsiveness determinations and Agency non-responsibility determinations and to protest an Agency’s determination regarding the solicitation or award of a contract. F. Multi-Year Contracts. Multi-year contracts are subject to modification or cancellation if adequate funds are not appropriated to the Agency to support continuation of performance in any City fiscal year succeeding the first fiscal year and/or if the contractor’s performance is not satisfactory. The Agency will notify the contractor as soon as is practicable that the funds are, or are not, available for the continuation of the multi-year contract for each succeeding City fiscal year. In the event of cancellation, the contractor will be reimbursed for those costs, if any, which are so provided for in the contract. G. Prompt Payment Policy. Pursuant to the New York City’s Procurement Policy Board Rules, it is the policy of the City to process contract payments efficiently and expeditiously. H. Prices Irrevocable. Prices proposed by the proposer shall be irrevocable until contract award, unless the proposal is withdrawn. Proposals may only be withdrawn by submitting a written request to the Agency prior to contract award but after the expiration of 90 days after the opening of proposals. This shall not limit the discretion of the Agency to request proposers to revise proposed prices through the submission of best and final offers and/or the conduct of negotiations. I. Confidential, Proprietary Information or Trade Secrets. Proposers should give specific attention to the identification of those portions of their proposals that they deem to be confidential, proprietary information or trade secrets and provide any justification of why such materials, upon request, should not be disclosed by the City. Such information must be easily separable from the non-confidential sections of the proposal. All information not so identified may be disclosed by the City. J. RFP Postponement/Cancellation. The Agency reserves the right to postpone or cancel this RFP, in whole or in part, and to reject all proposals. K. Proposer Costs. Proposers will not be reimbursed for any costs incurred to prepare proposals. L. Vendex Fees. Pursuant to PPB Rule 2-08(f)(2), the contractor will be charged a fee for the administration of the Vendex system, including the Vendor Name Check Process, if a Vendor Name Check review is required to be conducted by the Department of Investigation. The contractor shall also be required to pay the applicable fees for any of its subcontractors for which Vendor Name Check reviews are required. The fee(s) will be deducted from payments made to the contractor under the contract. For contracts with an estimated value of less than or equal to $1,000,000, the fee will be $175. For contracts with an estimated value of greater than $1,000,000, the fee will be $350. The estimated value for each contract resulting from this RFP is estimated to be (less than or equal to $1million) (above $1million). M. Charter Section 312(a) Certification. The Fund has determined that the contract(s) to be awarded through this Request for Proposals will not result in the displacement of any New York City employee within the Agency. See attached Displacement Determination Form.

_ June 25, 2021 Agency Chief Contracting Officer Date

ATTACHMENT A

PROPOSAL COVER LETTER

RFP TITLE: Virtual Chief Information Security Officer (vCISO) Services

PIN #: 2562201vCISOS

Proposer:

14 | P a g e

Name: _____________________________________________________________________________ Address: ______________________________________________________________________________

______________________________________________________________________________ Tax Identification #: ________________________________ Proposer’s Contact Person: Name: ______________________________________________________________________________ Title: ______________________________________________________________________________ Telephone #: _________________________________ Proposer’s Authorized Representative: Name: ____________________________________________________________________________ Title: ____________________________________________________________________________ Signature: ____________________________________________________________________________ Date: ___________________________________

ATTACHMENT B

ACKNOWLEDGEMENT OF ADDENDA

TITLE PIN #

DIRECTION: COMPLETE PART I, OR PART II, WHICH EVER IS APPLICABLE

PART I: LISTED BELOW ARE THE DATES OF ISSUE FOR EACH ADDENDUM RECEIVED IN

CONNECTION WITH THIS IFB.

15 | P a g e

ADDENDUM #1, DATED , 20

ADDENDUM #2, DATED , 20

ADDENDUM #3, DATED , 20

ADDENDUM #4, DATED , 20

ADDENDUM #5, DATED , 20

ADDENDUM #6, DATED , 20

ADDENDUM #7, DATED , 20

ADDENDUM #8, DATED , 20

ADDENDUM #9, DATED , 20

PART II: NO ADDENDUM WAS RECEIVED IN CONNECTION WITH THIS RFP BIDDER (NAME) _______________ DATE / / BIDDER (SIGNATURE) DATE / /

DOING BUSINESS ACCOUNTABILITY PROJECT QUESTIONS AND ANSWERS ABOUT LOCAL LAW 34 AND THE DOING BUSINESS

DATABASE

What is the purpose of the Doing Business Database? Local Law 34 of 2007 (LL 34), the pay to play reform act, is designed to limit the actual or perceived influence that campaign contributions could have on the City’s procurement and award processes. LL 34 limits municipal campaign contributions from principal officers, owners and senior managers of organizations that do business with the City and mandates the creation of a Doing Business Database to allow the City to enforce the law. As explained below, all organizations that have business dealings with the City are required to complete a Doing Business Data Form.

16 | P a g e

What organizations will be included in the Doing Business Database? LL 34 covers organizations that propose on, apply for or are awarded various transactions with or by City agencies and other governmental entities, such as public benefit corporations. It also covers lobbyists. There are certain exceptions to these categories; call the Doing Business Accountability Project at 212- 788-8104 for more information.

• Contracts, Concessions and Franchises: any organization proposing on or holding (either in the last 12

months or currently open) $100,000 in contracts for goods or services, $500,000 in contracts for construction, or $100,000 in concessions or franchises; or receiving $100,000 in City Council or Borough president discretionary allocations. LL 34 covers the unsuccessful proposers as well as the awardees. Certain contracts are not covered, most notably those awarded by publically-advertised competitive sealed bid. Note that if a sealed bid is awarded from a pre-qualified list, it is covered by the Law. Because all of the business that an organization does or proposes to do with the City will be added together, you must complete a Data Form for all transactions greater than $5,000, even if you do not currently do enough business with the City to be listed in the Database.

• Grants: any organization that receives grants totaling $100,000. • Economic development agreements: any application or award (any value) • Contracts for the investment of pension funds: any proposal or award (any value) • Contracts related to the City’s debt: any proposal or award (any value) • Real property transactions: any sale, purchase, lease to the City, lease from the City (any value) • Land use actions: Charter approvals under sections §§195, 197-a and 201 • Lobbyists: any firm or person required to submit a lobbyist registration statement.

What individuals will be included in the Doing Business Database?

The principal officers, owners and senior managers of organizations listed in the Doing Business Database are considered to be doing business with the City and will also be included in the Database. • Principal Officers are the Chief Executive Officer (CEO), Chief Financial Officer (CFO) and Chief

Operating Officer (COO), or their functional equivalents. • Principal Owners are individuals who own or control 10% or more of the organization. This includes

stockholders, partners and anyone else with an ownership or controlling interest in the organization. • Senior Managers include anyone who, either by job title or actual duties, has substantial discretion and high-

level oversight regarding the solicitation, letting or administration of any of the transactions covered by LL 34. • Lobbyists: any lobbyist included in a lobbyist registration statement.

How will this information be collected? Why have I received a Doing Business Data Form?

Each time an organization proposes on or enters a covered transaction, it will be required to fill out a Doing Business Data Form. Covered transactions include proposals for contracts, franchise and concessions of more than $5,000. However, no organization will have to fill out the form in its entirety more than once. The Data Form has both a Change option, which requires only information that has changed since the last Data Form was filed, and a No Change option. Because all of the business that an organization does or proposes to do with the City will be added together, you must complete the Data Form for all covered transactions, including contract, franchises and concessions greater than $5,000, even if you do not currently do enough business with the City to be listed in the Database. If an agency sends you a Data Form, you must complete it.

Will the personal information on the Data Form be available to the public? No. The names and titles of the officers, owners and senior managers reported on the Data Form will be made available to the public, as will information about the organization itself. However, personal identifying information, such as home address, home phone and date of birth, is considered confidential

17 | P a g e

and will not be disclosed to the public, and home address and phone number information will not be used for communication purposes.

What happens if an organization doesn’t submit a complete and accurate Data Form?

No award for a covered transaction will be made, and no proposal for a covered transaction will be considered, unless the Data Form is completed.

I provided some of this information on the VENDEX Questionnaire; do I have to do provide it again? Yes.

Although the Doing Business Data Form and the VENDEX Questionnaire request some of the same information, they serve entirely different purposes. In addition, the Data Form requests information concerning senior managers, which is not part of the VENDEX Questionnaire.

No one in my organization plans to contribute to a candidate; do I have to fill out the Data Form?

Yes. All organizations are required to return this Data Form with complete and accurate information, regardless of the history or intention of the organization or its officers, owners or senior managers to make campaign contributions. The Doing Business Database must be complete so that the Campaign Finance Board can verify whether future contributions are in compliance with the law.

How does a person remove him/herself from the Doing Business Database?

When an organization stops doing business with the City, the people associated with it are removed from the Database automatically. However, any person who believes that s/he should not be listed may apply for removal. Reasons that a person would be removed include his/her no longer being the principal officer, owner or senior manager of the organization. Organizations may also update their database information by submitting an update form. Removal Request and Update forms are available online at www.nyc.gov/mocs (once there, click MOCS Programs) or by calling 212-788-8104.

How long will an organization and its officers, owners and senior managers remain listed on the Doing Business Database?

• Contract, Concession and Economic Development Agreement holders: generally for the term of the transaction, plus one year.

• Franchise and Grant holders: from the commencement or renewal of the transaction, plus one year. • Pension investment contracts: from the time of presentation on an investment opportunity or the

submission of a proposal, whichever is earlier, until the end of the contract, plus one year. • Line item and discretionary appropriations: from the date of budget adoption until the end of the

contract, plus one year. • Contract proposers: for one year from the proposal date or date of public advertisement of the

solicitation, whichever is later. • Franchise and Concession proposers: for one year from the proposal submission date. For information on other transaction types, contact the Doing Business Accountability Project.

18 | P a g e

What are the campaign contribution limits for people doing business with the City?

Contributions to City Council candidates are limited to $250 per election cycle; $320 to Borough President candidates; and $400 to candidates for citywide office, and are not matchable. Please contact the NYC Campaign Finance Board for more information at www.nyccfb.info, or 212-306-7100.

If you have any questions about Local Law 34, the Doing Business Database or the Doing Business Data Form please contact the Doing Business Accountability Project at 212-788-8104 or DoingBusiness@cityhall.nyc.gov.

05/05/2011

Printed on paper containing 30% post-consumer material

19 | P a g e

WHISTLEBLOWER PROTECTION EXPANSION ACT RIDER

1. In accordance with Local Law Nos. 30-2012 and 33-2012, codified at sections 6-132 and 12-113 of the New York City Administrative Code, respectively,

(a) Contractor shall not take an adverse personnel action with respect to an officer or employee in retaliation for such officer or employee making a report of information concerning conduct which such officer or employee knows or reasonably believes to involve corruption, criminal activity, conflict of interest, gross mismanagement or abuse of authority by any officer or employee relating to this Contract to (i) the Commissioner of the Department of Investigation, (ii) a member of the New York City Council, the Public Advocate, or the Comptroller, or (iii) the City Chief Procurement Officer, ACCO, Agency head, or Commissioner.

(b) If any of Contractor’s officers or employees believes that he or she has been the subject of an adverse personnel action in violation of subparagraph (a) of paragraph 1 of this rider, he or she shall be entitled to bring a cause of action against Contractor to recover all relief necessary to make him or her whole. Such relief may include but is not limited to: (i) an injunction to restrain continued retaliation, (ii) reinstatement to the position such employee would have had but for the retaliation or to an equivalent position, (iii) reinstatement of full fringe benefits and seniority rights, (iv) payment of two times back pay, plus interest, and (v) compensation for any special damages sustained as a result of the retaliation, including litigation costs and reasonable attorney’s fees.

(c) Contractor shall post a notice provided by the City in a prominent and accessible place on any site where work pursuant to the Contract is performed that contains information about:

(i) how its employees can report to the New York City Department of Investigation allegations of fraud, false claims, criminality or corruption arising out of or in connection with the Contract; and

(ii) the rights and remedies afforded to its employees under New York City Administrative Code sections 7-805 (the New York City False Claims Act) and 12-113 (the Whistleblower Protection Expansion Act) for lawful acts taken in connection with the reporting of allegations of fraud, false claims, criminality or corruption in connection with the Contract.

(d) For the purposes of this rider, “adverse personnel action” includes dismissal, demotion, suspension, disciplinary action, negative performance evaluation, any action resulting in loss of staff, office space, equipment or other benefit, failure to appoint, failure to promote, or any transfer or assignment or failure to transfer or assign against the wishes of the affected officer or employee.

(e) This rider is applicable to all of Contractor’s subcontractors having subcontracts with a value in excess of $100,000; accordingly, Contractor shall include this rider in all subcontracts with a value a value in excess of $100,000.

2. Paragraph 1 is not applicable to this Contract if it is valued at $100,000 or less. Subparagraphs (a), (b), (d), and (e) of paragraph 1 are not applicable to this Contract if it was solicited pursuant to a finding of an emergency. Subparagraph (c) of paragraph 1 is neither applicable to this Contract if it was solicited prior to October 18, 2012 nor if it is a renewal of a contract executed prior to October 18, 2012.

Vendor Signature Date _______________________ _________________________________

ATTACHMENT E

20 | P a g e

IRAN DIVESTMENT ACT COMPLIANCE RIDER FOR NEW YORK CITY CONTRACTORS

The Iran Divestment Act of 2012, effective as of April 12, 2012, is codified at State Finance Law (“SFL”) §165-a and General Municipal Law (“GML”) §103-g. The Iran Divestment Act, with certain exceptions, prohibits municipalities, including the City, from entering into contracts with persons engaged in investment activities in the energy sector of Iran. Pursuant to the terms set forth in SFL §165-a and GML §103-g, a person engages in investment activities in the energy sector of Iran if:

(a) the person provides goods or services of twenty million dollars or more in the energy sector of Iran, including a person that provides oil or liquefied natural gas tankers, or products used to construct or maintain pipelines used to transport oil or liquefied natural gas, for the energy sector of Iran; or

(b) The person is a financial institution that extends twenty million dollars or more in credit to another person, for forty-five days or more, if that person will use the credit to provide goods or services in the energy sector in Iran and is identified on a list created pursuant to paragraph (b) of subdivision three of Section 165-a of the State Finance Law and maintained by the Commissioner of the Office of General Services.

A bid or proposal shall not be considered for award nor shall any award be made where the bidder

or proposer fails to submit a signed and verified bidder’s certification. Each bidder or proposer must certify that it is not on the list of entities engaged in investment activities in Iran created pursuant to paragraph (b) of subdivision 3 of Section 165-a of the State Finance Law. In any case where the bidder or proposer cannot certify that they are not on such list, the bidder or proposer shall so state and shall furnish with the bid or proposal a signed statement which sets forth in detail the reasons why such statement cannot be made. The City of New York may award a bid to a bidder who cannot make the certification on a case by case basis if:

(1) The investment activities in Iran were made before the effective date of this section (i.e., April 12, 2012), the investment activities in Iran have not been expanded or renewed after the effective date of this section and the person has adopted, publicized and is implementing a formal plan to cease the investment activities in Iran and to refrain from engaging in any new investments in Iran: or

(2) The City makes a determination that the goods or services are necessary for the City to perform its functions and that, absent such an exemption, the City would be unable to obtain the goods or services for which the contract is offered. Such determination shall be made in writing and shall be a public document.

BIDDER’S CERTIFICATION OF COMPLIANCE WITH IRAN DIVESTMENT ACT

Pursuant to General Municipal Law §103-g, which generally prohibits the City from entering into contracts with persons engaged in investment activities in the energy sector of Iran, the bidder/proposer submits the following certification:

[Please Check One] BIDDER’S

CERTIFICATION

By submission of this bid or proposal, each bidder/proposer and each person signing on behalf of any bidder/proposer certifies, and in the case of a joint bid each party thereto certifies as to its own organization, under penalty of perjury, that to the best of its knowledge and belief, that each bidder/proposer is not on the list created pursuant to paragraph (b) of subdivision 3 of Section 165-a of the State Finance Law.

I am unable to certify that my name and the name of the bidder/proposer does not appear on the

list created pursuant to paragraph (b) of subdivision 3 of Section 165-a of the State Finance Law. I have attached a signed statement setting forth in detail why I cannot so certify.

Dated: , New York , 20

SIGNATURE

PRINTED NAME

TITLE Sworn to before me this day of , 20

_______________________________ Notary Public

Dated:

2 | P a g e

CITY OF NEW YORK

SUBCONTRACTOR APPROVAL FORM Column on left indicates whom that section is to be completed by.

AGEN

CY

PRIME CONTRACT INFORMATION

Agency: Unit/Divison: FMS Contract No.: PIN: Contract Value: $ Registration Date: Contract Description:

PRIME CONTRACTOR IDENTIFICATION Name: Phone: Fax: Address: City: State/Zip: EIN/SSN: E-Mail:

PRIM

E CO

NTA

CTO

R

SUBCONTRACTOR INFORMATION Name: Phone: Fax: Address: City: State/Zip: EIN/SSN: E-Mail: Subcontract Description: Plumbing HVAC Electrical or Other (describe below)

Agreed-Upon Subcontract Value: $ Approx Start Date __/__/__ Approx End Date __/__/__ Subcontractor is DSBS-certified as: M/WBE EBE or LBE (check all that apply & note status below) YES Application Pending Intends to Apply NO Subcontractor Prevailing Wage or Living Wage Statement (if applicable) Prime Contractor Certification: I hereby affirm that the information supplied is true and correct.

Signature Title

Print Name Date

AGEN

CY

AGENCY PRELIMINARY REVIEW PLEASE SEE PAGE 2 FOR INSTRUCTIONS

Agency Preliminary Review Completed By: Date

1. VENDEX 2. Employment 3. References 4. Apprenticeship 5. Licenses

PRIM

E CO

NTA

CTO

R PRIME CONTRACTOR RESPONSE

For each of the boxes checked in the agency preliminary response above, I have informed the Subcontractor of all relevant requirements and provided all requested documentation.

Initials: Date

AGEN

CY AGENCY FINAL RESPONSE

Final Agency Approval: Granted Denied

Signature: Date

3 | P a g e

CITY OF NEW YORK

SUBCONTRACTOR APPROVAL FORM Page 2

Prime Vendor Preliminary Review Follow-up Instructions After completing the Preliminary Review, the agency will mark, on Page 1, the box for any item requiring follow-up and return the form the to the Prime Vendor. The Prime Vendor should follow the instructions below for each of the boxes checked in the Agency Preliminary Review on Page 1, and return the form to the agency with any required documentation.

1. VENDEX

If Box 1 (VENDEX) is checked, the agency has granted preliminary approval, and determined that the subcontractor is required to file VENDEX Questionnaires with the Mayor's Office of Contract Services. A VENDEX Vendor Questionnaire and Principal Questionnaire must be filed where the subcontract dollar amount is ≥ $100,000 or where the aggregate business with the City is ≥ $100,000 during the preceding twelve months. The VENDEX Questionnaires and Guide can be downloaded from http://www.nyc.gov/html/selltonyc/html/tocvendex.html.

2. Employment If Box 2 (Employment) is checked, the subcontractor must complete a Division of Labor Services (DLS) Construction Employment Report. A subcontractor selected to perform work on a construction project funded or assisted by the City of New York must complete a DLS Construction Employment Report if the subcontract dollar amount > $750,000. For construction projects funded in whole or in part by the federal government, a DLS Construction Employment Report must be completed if the proposed subcontract value > $10,000. For non-construction goods/services subcontracts > $100,000, employment reports are required for any subcontractor with > 50 employees, and a certificate is required for those with fewer employees.

3. References

If Box 3 (References) is checked, you as the prime contractor must provide references with respect to the subcontractor’s ability to perform, consisting of a list of three completed comparable projects. References shall include a full description/location of each project, scope of work, value of project, and the names and phone numbers of owners, architect or engineer who supervised the work. Please attach your documentation to your response.

4. Apprenticeship

If Box 4 (Apprenticeship) is checked, you as the prime contractor must provide the agency with proof that the subcontractor maintains an apprenticeship agreement appropriate for the scope of work to be performed, that the apprenticeship agreement has been registered with and approved by the New York State Commission of Labor, and that the program has three years of current, successful experience in providing career opportunities.

5. Licenses If Box 5 (Licenses) is checked, you as the prime contractor must document that the subcontractor has all required licenses. Please attach your documentation to your response.