DOT BPM RFP


[PDF]DOT BPM RFP - Rackcdn.com10ba4283a7fbcc3461c6-31fb5188b09660555a4c2fcc1bea63d9.r13.cf1.rackcdn.com...

12 downloads 165 Views 799KB Size

STATE OF NORTH DAKOTA BANK OF NORTH DAKOTA 1200 MEMORIAL HIGHWAY BISMARCK, ND 58506-5509 Request For Proposal (RFP)

RFP Title: SIEM (Security Information and Event Management) Management and Monitoring RFP Number: 110.7-14-059 Date of Issue: November 26, 2014 Purpose of RFP: Soliciting a proposal for a vendor to provide 24/7 SIEM management and monitoring for the BND.

Offerors are not required to return this form. Procurement Officer: Angie Scherbenske

1

TABLE OF CONTENTS SECTION ONE - INTRODUCTION AND INSTRUCTIONS 1.01 Purpose of the RFP 1.02 Contact Person, Telephone, Fax Numbers and E-mail 1.03 RFP Schedule 1.04 Proposal Submission 1.05 Assistance to Offerors with a Disability 1.06 Deadline for Receipt of Questions and Objections 1.07 Approved Vendor Registration Requirements 1.08 Pre-proposal Conference 1.09 Amendments to the RFP 1.10 News Releases 1.11 Notice Provided 1.12 Letter of Interest SECTION TWO - BACKGROUND INFORMATION 2.01 Definitions 2.02 Background Information 2.03 Budget SECTION THREE – SCOPE OF WORK 3.01 Scope of Work and Deliverables 3.02 Applicable Directives 3.03 Information Technology Solution 3.04 Offeror Experience and Qualifications Mandatory Requirements SECTION FOUR - GENERAL CONTRACT INFORMATION 4.01 Standard Contract Provisions 4.02 Proposal as a Part of the Contract 4.03 Additional Terms and Conditions 4.04 Supplemental Terms and Conditions 4.05 Contract Approval 4.06 Contract Changes – Unanticipated Amendments 4.07 Taxes and Taxpayer Tax Identification SECTION FIVE - EVALUATION CRITERIA AND CONTRACTOR SELECTION 5.01 Plan for Accomplishing the Scope of Work 5.02 Experience and Qualifications 5.03 Contract Cost SECTION SIX - PROPOSAL FORMAT AND CONTENT 6.01 Proposal Format 6.02 Technical Proposal Content 6.03 Cost Proposal SECTION SEVEN - STANDARD PROPOSAL INFORMATION 7.01 Authorized Signature 7.02 State Not Responsible for Preparation Costs 7.03 Conflict of Interest 7.04 Offer Held Firm 7.05 Amendments to Proposals and Withdrawal of Proposals 7.06 Alternate Proposals 7.07 Subcontractors 7.08 Joint Ventures 7.09 Disclosure of Proposal Contents and Compliance with North Dakota Open Records Laws 7.10 Evaluation of Proposal

2

7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18

Right of Rejection Clarification of Offers Discussion and Best and Final Offers Preference Laws Contract Negotiation Failure to Negotiate Notice of Intent to Award – Offeror Notification of Selection Protest and Appeal

Attachments 1. Contract 2. Proposal Evaluation Worksheet 3. Cost Proposal Format

3

SECTION ONE - INTRODUCTION AND INSTRUCTIONS 1.01 Purpose of the RFP The State of North Dakota, acting through its Bank of North Dakota (STATE) is soliciting proposals for a vendor to provide 24/7 SIEM management and monitoring for the BND. 1.02 Contact Person, Telephone, Fax, E-mail The procurement officer is the point of contact for this RFP. All vendor communications regarding this RFP must be directed to the procurement officer. Unauthorized contact regarding the RFP with other State employees may result in the vendor being disqualified, and the vendor may also be suspended or disbarred from the state bidders list. PROCUREMENT OFFICER: Angie Scherbenske PHONE: 701-328-2779 FAX: 701-328-1615 TTY Users call: 7-1-1 E-MAIL: [email protected] 1.03 RFP Schedule The RFP schedule is as follows: 

RFP Issued: November 26, 2014



Deadline for receipt of questions and objections related to the RFP: December 10, 2014 at 3 p.m. CT



Responses to questions / RFP amendments (if required) by approximately: December 12, 2014



Proposals due by: December 30, 2014 at 3 p.m. CT



Proposal Evaluation Committee evaluation completed by approximately: January 7, 2015



Notice of Intent to Award a Contract issued approximately: January 8, 2015.



Contract issued and start approximately: January 28, 2015

1.04 Proposal Submission Offerors shall submit 2 copies of its technical proposal in a sealed envelope or package. Offerors shall submit 2 copies of its cost proposal in a separate sealed envelope or package, clearly labeled “cost proposal.” Offerors shall submit an electronic copy of their entire proposal on CD, DVD, or USB Flash Drive in a MS Word or Adobe Reader format. Cost proposals should be separate files from the technical proposal.

4

Envelopes or packages containing proposals must be clearly addressed as described below to ensure proper delivery and to avoid being opened by STATE before the deadline for receipt. Envelopes or packages must be addressed as follows: Office of Management & Budget State Procurement Office/Dept 012 Request for Proposal (RFP): SIEM Management and Monitoring Services RFP Number: 110.14-07-059 600 East Boulevard Avenue, 14th Floor Bismarck, ND 58505-0310 Proposals must be received by STATE at the location specified no later than the date and time listed in the RFP Schedule. Proposals will not be publicly read at the opening. Proposals may not be delivered orally, by facsimile transmission, by other telecommunication or electronic means. Offerors may fax or electronically transmit signed proposals to a third party who must deliver the proposal to the location indicated above by the date and time designated as the deadline for receipt of proposals. Offerors assume the risk of the method of dispatch chosen. STATE assumes no responsibility for delays caused by any delivery service. Postmarking by the due date will not substitute for actual proposal receipt by STATE. An offeror’s failure to submit its proposal prior to the deadline will cause the proposal to be rejected. Late proposals or amendments will not be opened or accepted for evaluation. 1.05 Assistance to Offerors with a Disability Offerors with a disability that need an accommodation should contact the procurement officer prior to the deadline for receipt of proposals so that reasonable accommodation can be made. 1.06 Deadline for Receipt of Questions and Objections Offerors must carefully review this solicitation, the contract and all attachments for defects, questionable, or objectionable material. All questions must be in writing and directed to STATE, addressed to the procurement officer, and cite the subject RFP number. The preferred method of submission is electronic mail. The procurement officer must receive these written requests by the deadline specified in the RFP Schedule to allow issuance of any necessary amendments. This will also help prevent the opening of a defective solicitation and exposure of offeror's proposals upon which an award could not be made. Protests based on the content of the solicitation will be disallowed if these faults have not been brought to the attention of the procurement officer, in writing, before the time indicated in the RFP Schedule. If the question may be answered by directing the questioner to a specific section of the RFP, then the procurement officer may answer the question over the telephone. Other questions may be more complex and may require a written amendment to the RFP. The procurement officer will make this determination. Oral communications is considered unofficial and non-binding on STATE. The offeror must confirm telephone conversations in writing. 1.07 Approved Vendor Registration Requirements Proposals will be accepted from vendors that are not currently approved vendors on the State’s bidders list; however, the successful offeror will be required to become approved prior to award. To become an approved vendor, offerors must: 1) be registered with the North Dakota Secretary of State (fees apply), and 2) submit a completed Bidders List Application to the North Dakota Vendor Registry Office. Prospective offerors may access the Procurement Vendor Database on-line to verify whether their firm is currently on the bidders list. The bidders list that will be used for this solicitation is commodity code 838-83, 909-33, 91875, and 958-39. The Procurement Vendor Database, registration instructions and forms are available on-line at: http://www.nd.gov/spo/vendor/registry/. Contact the Vendor Registry Office at 701-328-2683 or [email protected] for assistance.

5

The successful offeror must register and become approved within 30 calendar days from the date of the Notice of Intent to Award. If an offeror fails to become approved by the time specified by the procurement officer, its proposal will be determined to be non-responsive, and its proposal will be rejected. 1.08 Pre-proposal Conference No pre-proposal conference will be held for this RFP. Offerors are advised to carefully review the RFP and all attachments and submit all questions to the procurement officer by the deadline indicated for receipt of questions and objections in the RFP schedule. 1.09 Amendments to the RFP If an amendment to this RFP is issued, it will be provided to all offerors who were notified of the RFP and to those that have requested a copy of the RFP from the procurement officer. Amendments will also be posted to the State Procurement Website at www.nd.gov/spo. 1.10 News Releases News releases related to this RFP will not be made without prior approval by STATE. 1.11 Notice Provided Notice of this solicitation has been provided in accordance with N.D.C.C. § 54-44.4-09. 1.12 Letter of Interest Offerors interested in receiving any notices related to this RFP are invited to contact the procurement officer with the name of their firm, contact person, mailing address, telephone number, fax number, and e-mail address. The sole purpose of the letter of interest is to provide STATE with a contact person to receive any notices related to the RFP. Submission of a letter of interest is not a requirement for submitting a proposal.

6

SECTION TWO - BACKGROUND INFORMATION 2.01 Definitions

Terminology/ Jargon/ Abbreviation 24/7 Adverse Event BND COI CT Event LAN MSS MSSP Nation state NDA Offense QA SIEM

RFP SLA SOC

Meaning Twenty four hours a day/7 days a week or continuously Adverse events are events with a negative consequence Bank of North Dakota Certificate of Insurance Central time zone Any observable occurrence in a system or network Local Area Network Managed Security Service Managed Security Service Provider Geographical area that can be identified as deriving its political legitimacy from serving as a sovereign nation Non-disclosure agreement The outcome of analyzing events and adverse events which determines that there is a possible threat to BND’s information assets Quality assurance Security Information and Event Management appliance which provides near realtime analysis of collected logs and network traffic that are generated by the hardware and applications making up the BND Information Systems environment Request for Proposal Service Level Agreement Security Operations Center which is used for the detection, investigation and remediation of information security threats

2.02 Background Information The Bank of North Dakota is the only state-owned bank in the nation. BND acts as a funding resource in partnership with other financial institutions, economic development groups and guaranty agencies. We have four established business areas: Student Loans, Lending Services, Treasury Services and Banking Services. Threats to financial institutions continue to grow. Attacks have increased in sophistication and effectiveness by targeting the vulnerabilities of specific organizations, often through their vendor and customer relationships. It has become common for this sophistication to be funded by nation states as part of an attack on the United States’ critical infrastructure. The Bank of North Dakota (BND) purchased the existing IBM QRadar Security Information and Event Management (SIEM) in 2012 in part to respond to these threats. The SIEM fulfils log and network traffic monitoring requirements which allow BND to gain insight into the current behavior of systems and networks. As such, the IBM QRadar SIEM is central to BND’s detection of adverse events occurring in both the BND Local Area Network (LAN) and the networks which house BND’s information systems.

7

Monitoring of the IBM QRadar SIEM is currently done by IS staff, Monday through Friday from approximately 5:00 AM CT to 5:00 PM CT. In order to meet BND’s business and regulatory requirements, this coverage is no longer adequate. FFIEC guidance for incident response states “Management’s ultimate goal should be to minimize damage to the institution and its customers through containment of the incident and proper restoration of information systems”. A timely response to information security incidents is a key component for minimizing damage involving BND information assets. The initial goal for the Information Security effort was to respond to all generated offenses within 24 hours. As BND IS has matured, we have followed the direction provided by NIST which integrates with FFIEC guidance. The NIST direction is to have 24/7 monitoring and implement on-call functionality for staff in order to minimize the response time. It would require a minimum number of four employees to provide this service in-house. Dedicating such a large amount of BND’s limited resources for this purpose would impede progress on other important components of BND’s IS plan. For this reason, BND Information Security would like to engage a MSSP to monitor and manage the IBM QRadar SIEM. The vendor would perform all maintenance tasks, provide expertise in IBM QRadar configuration, monitor the SIEM 24 hours a day/7 days a week and notify BND’s on-call incident response staff. The vendor would also provide additional expertise to be used in coordination with BND’s incident response.

2.03 Budget The funds for payment of this contract are already appropriated and identified.

8

SECTION THREE - SCOPE OF WORK 3.01 Scope of Work and Deliverables STATE is soliciting proposals for a vendor to provide 24/7 SIEM management and monitoring for the BND. The selected Managed Security Service Provider (MSSP) will be entrusted with a significant portion of BND’s detection capability. In addition, BND will be implementing the Partially Outsourced team model (NIST SP800-61 Rev. 2) for incident response and will expect the selected MSSP to provide expertise for identified incidents in support of the incident response team. The selected MSSP shall provide at a minimum, the following deliverables: 1. Perform all maintenance tasks with the IBM QRadar SIEM to support BND’s incident response program 2. Monitor the SIEM 24 hours a day/7 days a week 3. Provide expertise in IBM QRadar configuration 4. Notify BND’s on-call incident response staff 5. Provide additional expertise to be used in coordination with BND’s incident response 3.02 Applicable Directives This information technology project is subject to the following: • N.D.C.C. § 54-10-28 related to the state auditor’s authority to conduct information technology compliance reviews. • N.D.C.C. §§ 54-35-15.2, 54-35-15.3, and 54-35-15.4 related reporting to and review by the Legislative Council Information Technology Committee. • N.D.C.C.§ 54-59 related to the Information Technology Department • IT Examination Handbook InfoBase, FFIEC, Section: Incident Response •

Computer Security Incident Handling Guide, NIST SP 800-61 Rev. 2, August 2012

3.03 Information Technology Solution A. Requirements The STATE seeks a solution with the following required and desired features and functionality: Priority definitions  Core - Mission Critical, Must Have (High)  Essential - Can wait until a future point in time (Medium)  Desired - Nice to have (Low) All “core and essential” items listed in this section are requirements. If the Offeror is successful, the Offeror agrees that it shall comply with all requirements throughout the full term of the Contract. Offerors must provide a full response to each priority (Core, Essential, Desired) without cross referencing other sections of the proposal. In addition, the Offeror Response must include any specific references and/or supportive materials as described in the Offeror Response. The State reserves the right to determine whether the supportive materials submitted by the Offeror demonstrate the Offeror will be able to comply with the requirements.

Functional Requirements Ref No

BF101

BF102

Requirement Provide a detailed description of the process to review BND's existing QRadar implementation/configuration and modify it for integration with the MSS Ability to work with BND to jointly identify technical details and network access requirements for the MSS implementation

9

Process Reference

Priority

Configuration

Core

Implementation

Core

BF106

Provide a description of any additional threats/vulnerabilities which would result from the MSS implementation Provide a diagram which documents the service component communication No BND data will be located at MSSP. Provide an explanation of how this will or will not work with your MSS implementation Ability to provide event notification for high to critical impact offenses as part of incident response in less than 30 minutes after occurrence

BF107

Ability to coordinate with BND to align the MSS with BND's incident response procedures

BF103 BF104

BF105

BF108

BF109 BF110 BF111 BF112

BF113 BF114

BF115 BF116 BF117 BF118

BF119 BF120 BF121

BF122 BF123 BF124

MSSP must have an internal team which performs ongoing research into current threats/vulnerabilities which could impact BND MSSP must have an internal team to provide analysis and remediation recommendations for high to critical impact offenses MSSP must have an internal team which supports the daily SOC operations at all locations Ability to provide testimony in civil or criminal proceedings if deemed necessary by BND Ability to perform all updates in a manner which is in coordination with BND's change control process Ability to implement a Quality Assurance (QA) process for QRadar updates and updates to your service - provide details on your QA process Ability to apply critical updates in less than 3 days and normal updates in less than 5 days MSS must be available 24/7/365 - provide details on updates to your service (hardware/software) and how you insure availability that meets this requirement Ability to assure that reports are configured and executing correctly as part of the review process Ability to provide a set of mutually agreed upon reports at determined intervals for consumption by BND Key required reports will include trend analysis of key metrics Ability to provide reports in a variety of formats which include at a minimum PDF, HTML and CSV with DOCX as a desired option Ability to provide customized reports to BND as needed Ability to provide event notification for normal to low impact offenses in less than 1 day of occurrence (report) Provide detail on your customer support portal including the support hours and the ticket submission/escalation process Provide information on any documentation available through the customer support portal Provide information on the telephone contact system with the details on assigned contacts/resources if any

10

Implementation

Core

Implementation

Core

Implementation

Core

Incident Response

Core

Incident Response

Core

Incident Response

Core

Incident Response

Core

Incident Response

Core

Incident Response

Core

Maintenance

Core

Maintenance

Core

Maintenance

Core

Monitoring

Core

Reporting

Core

Reporting

Core

Reporting

Core

Reporting

Core

Reporting

Core

Reporting

Core

Support

Core

Support

Desired

Support

Core

BF125

BF126

Provide information on support services not included with MSS contract and the associated fee structure Provide information on how you measure customer satisfaction. Please provide relevant information for the last 3 years

Support

Core

Support

Desired

Process Reference

Priority

Backup/Recovery

Core

Backup/Recovery

Core

Compliance/Regulatory

Core

Compliance/Regulatory

Core

Compliance/Regulatory

Core

Compliance/Regulatory

Core

Disaster Recovery

Core

Disaster Recovery Disaster Recovery

Core Core

General

Essential

General

Core

General

Essential

General

Core

General

Core

General

Essential

General General

Core Core

Non-Functional (Technical) Requirements Ref No

Requirement

NF116 NF117

Ability to work with BND to implement regular remote backups of all system data and product configurations Ability to ensure the proper operation of all backups as part of the periodic system review process Provide due diligence documents which include financials, insurance and audited controls documents Provide confirmation that the MSSP employs or has under contract an audit/compliance team Provide detail on periodic audits including both frequency of occurrence and details on how identified risks are mitigated Provide confirmation that they have an ethics policy which is available to employees Ability to ensure a minimum of 2 Security Operations Centers (SOC) locations which meet the requirements for Disaster Recovery and Service Continuity Ability to confirm that English is spoken at all SOC locations which may provide the MSS to BND Provide a list of all countries where SOCs are located Provide a breakdown on customer base by industry vertical with an emphasis on any experience working with financial institutions Provide two to three client references where the client has a profile similar to our company Provide details on subcontractors or third-party vendors whose provided service(s) or product(s) impact the delivery of this service Provide details on the requested MSS including implementation, maintenance and monitoring requirements Provide details on any additional support offerings related to this MSS Provide details on the maturity of this MSS, - include the length of time this service has been offered Provide a list of other available MSS offerings which can be used for planning Provide information for onsite SOC visits by customers

NF118

Provide details and pricing for all the SLA service levels which are available

Pricing

Core

NF119 NF120

Provide details on SLA non-compliance monitoring and the remedies provided for non-compliance Provide details on indemnification agreement availability

Pricing Pricing

Core Core

NF101 NF102 NF103 NF104 NF105 NF106

NF107 NF108 NF109

NF110 NF111

NF112 NF113 NF114 NF115

11

Ref No NF121 NF122 NF123 NF124 NF125 NF126

NF127

Requirement Describe the process to perform periodic reviews which ensure the system's ongoing reliability and effectiveness Provide details on how background checks are performed for employees and non-employees (like contractors) Provide details on how your organization ensures that staff are complying with your code of ethics Provide details on the employment of foreign nationals and their use of customer or technical data Provide information on staff certifications and credentials Provide information on the process used to maintain staff proficiency for existing and new technologies Provide information on the number of staff dedicated to your MSSP business and the turnover for the last 12 months

Process Reference

Priority

Review

Core

Staff

Core

Staff

Core

Staff Staff

Core Core

Staff

Core

Staff

Core

B. ITD Enterprise Architectural Requirements 1) Standards and Guidelines The proposed information technology solution is required to comply with the STATE’s information technology standards and guidelines unless an exemption is obtained. Security standards are available upon request by contacting the procurement officer for this RFP. Information Technology Department (ITD) Enterprise Architecture Standards and Guidelines can be found at: http://www.nd.gov/itd/standards/ea C. Location of Work – Travel No on-site work is required. D. State-Furnished Property and Services The STATE will provide IBM QRadar hardware and SSL VPN. The STATE will provide a sponsor and a primary Information Security project manager. E. Risk Management The contractor will take appropriate measures to ensure the safety of its employees, state employees, the public, and property. The contractor must identify any additional risks associated with the project. F.Contract Schedule Time is critical in project completion. STATE anticipates working with the CONTRACTOR to complete the project in as short of a period of time as is feasible. The approximate contract schedule is as follows: 

Contract Start: On the Effective Date agreed upon by the parties within the contract



Kick off meeting: Within 1 weeks from contract’s Effective Date



Validate Core Requirements gathered by STATE: Within 1 week of contract’s Effective Date



Initial Implementation Date: No less than 2 weeks and no more than 5 weeks after contract’s Effective Date

3.04 Offeror Experience and Qualifications Mandatory Requirements Offerors must meet the following experience and qualifications mandatory requirements: 1. MSSP must be an IBM Business Partner and provide certification from IBM of an up-to-date partner license.

12

2. Offeror must have performed similar work for a similarly configured financial institution within the previous two years. 3. Offeror must have at least three years professional experience performing similar IT consulting.

13

SECTION FOUR - GENERAL CONTRACT INFORMATION 4.01 Standard Contract Provisions The successful offeror will be required to sign and submit the contract attached to this RFP which is attached as Attachment 1. The contractor must comply with the contract provisions set out in the contract. Any objections to the contract provisions must be set out in the offeror’s proposal. No alteration of these provisions will be permitted without prior written approval from STATE. Offerors are instructed to contact the procurement officer in writing by the deadline set for questions with any concerns regarding the contract provisions. 4.02 Proposal as a Part of the Contract Part or all of this RFP and the successful proposal may be incorporated into the contract. 4.03 Additional Terms and Conditions STATE reserves the right to add, delete, or modify terms and conditions during contract negotiations. These terms and conditions will be within the scope of the RFP and will not affect the proposal evaluations. 4.04 Supplemental Terms and Conditions Proposals including supplemental terms and conditions will be accepted, but supplemental conditions that conflict with those contained in this RFP or that diminish STATE’s rights under any contract resulting from the RFP will be considered null and void. STATE is not responsible for identifying conflicting supplemental terms and conditions before issuing a contract award. After award of contract: (a) if conflict arises between a supplemental term or condition included in the proposal and a term or condition of the RFP, the term or condition of the RFP will prevail; and (b) if STATE’s rights would be diminished as a result of application of a supplemental term or condition included in the proposal, the supplemental term or condition will be considered null and void. 4.05 Contract Approval This RFP does not, by itself, obligate STATE. STATE’s obligation will commence when STATE approves the contract. Upon written notice to the contractor, STATE may set a different starting date for the contract. STATE will not be responsible for any work done by the contractor, even work done in good faith, if it occurs prior to the contract start date set by STATE. 4.06 Contract Changes - Unanticipated Amendments During the course of this contract, the contractor may be required to perform additional work. That work will be within the general scope of the initial contract. When additional work is required, the project manager designated by STATE will provide the contractor a written description of the additional work and request the contractor to submit a firm time schedule for accomplishing the additional work and a firm price for the additional work. Cost and pricing data must be provided to justify the cost of amendments. The contractor will not commence additional work until STATE project manager has secured any required STATE approvals necessary for the amendment and issued a written contract amendment, approved by STATE. 4.07 Taxes and Taxpayer Identification The contractor must provide a valid Vendor Tax Identification Number as a provision of the contract. STATE is not responsible for and will not pay local, state, or federal taxes. STATE sales tax exemption number is E-2001, and certificates will be furnished upon request. A contractor performing any contract, including service contracts, for the United States Government, State of North Dakota, counties, cities, school districts, park board or any other political subdivisions within North Dakota is not exempt from payment of sales or use tax on material and supplies used or consumed in carrying out contracts. In these cases, the contractor is required to file returns and pay sales and use tax just as required for contracts with private parties. Contact the North Dakota Tax Department at 701-328-1246 or visit its website at www.nd.gov/tax/ for more information.

14

A contractor performing any contract, including a service contract, within North Dakota is also subject to the corporation income tax, individual income tax, and withholding tax reporting requirements, whether the contract is performed by a corporation, partnership, or other business entity, or as an employee of the contractor. In the case of employees performing the services in the state, the contractor is required to withhold state income tax from the employees' compensation and remit to the state as required by law. Contact the North Dakota Tax Department at 701-328-1248 or visit its web site for more information

15

SECTION FIVE - EVALUATION CRITERIA AND CONTRACTOR SELECTION THE TOTAL NUMBER OF POINTS USED TO SCORE THIS PROPOSAL IS 100 5.01 Plan for Accomplishing the Scope of Work Forty (40) of the total possible evaluation points will be assigned to this criterion. The evaluation committee members will consider the questions in the Proposal Evaluation Worksheet attached as Attachment 2, when awarding points. 5.02 Experience and Qualifications Thirty (30) of the total possible points will be assigned to this criterion. The evaluation committee members will consider the questions in the Proposal Evaluation Worksheet, when awarding points. 5.03 Contract Cost Thirty (30) of the total possible evaluation points will be assigned to cost. The procurement officer or other designated STATE employee will evaluate cost proposals and convert the cost amount into points. Any prompt payment discount terms proposed by the offeror will not be considered in evaluating cost. The cost amount used for evaluation may be affected by the application of North Dakota Preference laws in accordance with N.D.C.C. § 44-08-01. For information regarding state preference laws, refer to Guidelines to North Dakota Purchasing Preference Laws. After applying any reciprocal preference, the cost proposal with the lowest cost will receive the maximum number of points. The point allocations on the other cost proposals will be determined as follows: Price of Lowest Cost Proposal Price of Proposal Being Rated

X

Total Points for Cost Available

16

=

Points

SECTION SIX - PROPOSAL FORMAT AND CONTENT 6.01 Proposal Format STATE discourages overly lengthy and costly proposals; however, in order for STATE to evaluate proposals fairly and completely, offerors must follow the format set out in this RFP and provide all information requested. 6.02 Technical Proposal Contents Offerors shall provide the following information in its technical proposal: A. Introduction Offeror shall include a cover letter signed by a company officer with authority to bind the company. The letter must contain the following: 1. The complete name and address of the offeror and the name, mailing address, and telephone number of the person STATE should contact regarding the proposal. 2. A statement that the offeror has read and agrees to comply with the requirements stated in this Request for Proposal. 3. A statement indicating whether or not the firm or its employees have an apparent or actual conflict of interest, such as immediate family members employed by the State of North Dakota, or State employees with a financial interest in the firm. 4. A statement acknowledging the receipt of solicitation amendments issued and verifying all solicitation amendments required to be acknowledged are included in the proposal. B. Plan for Accomplishing the Scope of Work Offeror shall provide comprehensive narrative statements that illustrate their understanding of the requirements of the RFP, that set out the methodology used in accomplishing the scope of work and illustrate how the methodology will serve to accomplish the work described in the scope of work. In addition to or included with the narrative statements, Offeror shall provide the following: 1. Proposed project schedule to complete the scope of work; 2. Number and type of offeror resources planned to be utilized; 3. Amount of time the offeror expects to spend onsite versus offsite, including type of work to be performed offsite; and 4. Expectation of STATE resource availability including the amount of time and type of resource. C. Experience and Qualifications Offeror shall provide: 1. Comprehensive narrative statements that illustrate its technical expertise in business process modeling using industry standard process modeling tools, methods and formats. Offeror shall provide two (2) examples of business process models ; using the modeling tools and format it plans to use to accomplish the scope of work; 2. Description experience working with State Motor Vehicle Agencies. 3. Three (3) references for previous clients where similar services were provided; reference information to include the following: a) Company Name; b) Name of Contact Person, Title, Phone Number, Email Address; c) Description of services provided (e.g. scope of work); d) Number and type of offeror resources that completed the scope of work; and e) Time frame of when the services were provided. 4. Information specific to the key staff anticipated to be assigned to accomplish the work called for in the RFP. For each key staff member, an offeror shall include: a) Name; b) Title; c) A description of anticipated role and responsibilities; d) A brief description of educational background, relevant training, professional experience, skills, relevant certifications and any other special qualifications directly related to the work called for in this RFP; and e) A listing of recent assignments with scope of work similar to this RFP, including a description of the

17

assignment, the role the individual filled and the outcome of the assignment 6.03 Cost Proposal Contents Offerors shall provide the following information in its cost proposal: A. Cost Proposal The offeror must provide a total firm fixed price that includes all costs associated with the requirements of this RFP. The offeror must complete the Cost Proposal Format which is attached as Attachment 3 or a document following the same format. The offeror must consider STATE’s standard terms and conditions of this RFP, including the Contract. The offeror must state all costs associated with the contract in U.S. currency. The offeror must identify any commodities the offeror will import, and the price must include any applicable customs, brokerage agency fees, and duties. The offeror should provide a description of the required and proposed deliverables contained in its proposal. The offeror should describe any discount terms for prompt payment. STATE will not consider this information when evaluating cost. B. Financial Information Provide financial information in such a manner that STATE can reasonably formulate a determination about the stability and financial strength of the organization. This must include information about: 1) Company size 2) Organization/date of incorporation 3) Ownership 4) Number of employees Disclose any and all judgments, pending or expected litigation, or other real potential financial reversals, which might materially affect the viability or stability of the offeror’s organization; or certify that no such condition is known to exist. STATE may request reports on financial stability from independent financial rating services in order to further substantiate stability.

18

SECTION SEVEN - STANDARD PROPOSAL INFORMATION 7.01 Authorized Signature An individual authorized to bind the offeror to the provisions of the RFP must sign all proposals. 7.02 State Not Responsible for Preparation Costs STATE will not pay any cost associated with the preparation, submittal, presentation, or evaluation of any proposal. 7.03 Conflict of Interest Offerors must disclose any instances where the firm or any individuals working on the contract has a possible conflict of interest and, if so, the nature of that conflict (e.g. employed by the State of North Dakota). STATE reserves the right to cancel the award if any interest disclosed from any source could either give the appearance of a conflict or cause speculation as to the objectivity of the offeror’s proposal. STATE’s determination regarding any questions of conflict of interest is final. 7.04 Offer Held firm Proposals must remain open and valid for at least 90 days from the deadline specified for receipt of proposals. In the event award is not made within 90 days, STATE will send a written request to all offerors deemed susceptible for award asking offerors to hold their price firm for a longer specified period of time. 7.05 Amendments to Proposals and Withdrawals of Proposals Offerors may amend or withdraw proposals prior to the deadline set for receipt of proposals. No amendments will be accepted after the deadline unless they are in response to STATE’s request. After the deadline, offerors may make a written request to withdraw proposals and provide evidence that a substantial mistake has been made. The procurement officer may permit withdrawal of the proposal upon verifying that a substantial mistake has been made, and STATE may retain the offeror’s bid bond or other bid type of bid security, if one was required. 7.06 Alternate Proposals If an Offeror submits more than one proposal, each proposal must be prepared according to proposal format and content instructions. Alternate proposals (proposals that offer something different than what is requested) will be rejected. 7.07 Subcontractors Subcontractors may be used to perform work under this contract. 7.08 Joint Ventures Joint ventures will not be allowed. 7.09 Disclosure of Proposal Contents and Compliance with North Dakota Open Records Laws All proposals and other material submitted become the property of STATE and may be returned only at STATE’s option. All proposals and related information, including detailed cost information, are exempt records and will be held in confidence until an award is made, in accordance with N.D.C.C. § 54-44.4-10(2). Offerors may make a written request that trade secrets and other proprietary data contained in proposals be held confidential. Material considered confidential by the offeror must be clearly identified, and the offeror must include a brief statement that sets out the reasons for confidentiality. See the North Dakota Office of the Attorney General website for additional information. http://www.ag.nd.gov/OpenRecords/ORM.htm After award, proposals will be subject to the North Dakota open records law. Records are closed or confidential only if specifically stated in law. If a request for public information is received, the procurement officer, in consultation with the Office of the Attorney General, will determine whether the information is an exception to the North Dakota open records law, and the information will be processed appropriately. 7.10 Evaluation of Proposals All proposals will be reviewed to determine if they are responsive to the requirements of this solicitation. The procurement officer or an evaluation committee will evaluate responsive proposals. The evaluation will be based solely on the evaluation factors set forth in this RFP. The evaluation will consider information obtained

19

subsequent to any discussions with offerors determined to be reasonable for award and any demonstrations, oral presentations, or site inspections, if required in this RFP. 7.11 Right of Rejection STATE reserves the right to reject any proposals, in whole or in part. Proposals received from debarred or suspended vendors will be rejected. The procurement officer may reject any proposal that is not responsive to all of the material and substantial terms, conditions, and performance requirements of the RFP. Offerors may not qualify the proposal nor restrict the rights of STATE. If an offeror does so, the procurement officer may determine the proposal to be a non-responsive counter-offer and the proposal may be rejected. The procurement officer may waive minor informalities that:       

do not affect responsiveness; are merely a matter of form or format; do not change the relative standing or otherwise prejudice other offers; do not change the meaning or scope of the RFP; are insignificant, negligible, or immaterial in nature; do not reflect a material change in the work; or do not constitute a substantial reservation against a requirement or provision,

STATE reserves the right to reject any proposal determined to be not responsive, and to reject the proposal of an offeror determined to be not responsible. STATE also reserves the right to refrain from making an award if it determines it to be in its best interest. 7.12 Clarification of Offers In order to determine if a proposal is reasonably susceptible for award, communications by the procurement officer or the proposal evaluation committee are permitted with an offeror to clarify uncertainties or eliminate confusion concerning the contents of a proposal and determine responsiveness to the RFP requirements. Clarifications may not result in a material or substantive change to the proposal. The initial evaluation may be adjusted because of a clarification under this section. After receipt of proposals, if there is a need for any substantial clarification or material change in the RFP, an amendment will be issued. The amendment will incorporate the clarification or change, and a new date and time established for new or amended proposals. Evaluations may be adjusted as a result of receiving new or amended proposals. 7.13 Discussions and Best and Final Offers STATE may conduct discussions or request best and final offers with offerors that have submitted proposals determined to be reasonably susceptible for award. STATE is not obligated to do so, therefore, offerors should submit their best terms (cost and technical). The purpose of these discussions is to ensure full understanding of the requirements of the RFP and the offeror’s proposal. Discussions will be limited to specific sections of the RFP or proposal identified by the procurement officer. Discussions, if held, will be after initial evaluation of proposals by the proposal evaluation committee. If modifications to the proposal are made as a result of these discussions, the modifications must be put in writing. Offerors with a disability needing accommodation should contact the procurement officer prior to the date set for discussions so that reasonable accommodation can be made. 7.14 Preference Laws The preference given to a resident North Dakota offeror will be equal to the preference given or required by the state of the nonresident bidder. A “resident” North Dakota bidder, offeror, seller, or contractor is one that has maintained a bona fide place of business within this State for at least one year prior to the date on which a contract was awarded. For a listing of state preference laws, visit the following website: http://www.nd.gov/spo/legal/resources/ or contact the North Dakota State Procurement Office at 701-328-2740. 7.15 Contract Negotiation After final evaluation, STATE may negotiate with the offeror of the highest-ranked proposal. Negotiations, if held,

20

will be within the scope of the request for proposals and limited to those items that would not have an effect on the ranking of proposals. If the highest-ranked offeror fails to provide necessary information for negotiations in a timely manner, or fails to negotiate in good faith, STATE may terminate negotiations and negotiate with the offeror of the next highest-ranked proposal. If contract negotiations are commenced, they will be held primarily by email. The offeror will be responsible for all costs. 7.16 Failure to Negotiate If the selected offeror:    

fails to provide the information required to begin negotiations in a timely manner; fails to negotiate in good faith; indicates it cannot perform the contract within the budgeted funds available for the project; or if the offeror and STATE, after a good faith effort, cannot come to terms,

STATE may terminate negotiations with the offeror initially selected and commence negotiations with the next highest ranked offeror. 7.17 Notice of Intent to Award - Offeror Notification of Selection After the completion of contract negotiation the procurement officer will issue a written Notice of Intent to Award and send copies to all offerors. The Notice of Intent Award will set out the names and addresses of all offerors and identify the proposal selected for award. The scores and placement of other offerors will not be part of the Notice of Intent to Award. The successful offeror named in the Notice of Intent to Award is advised not to begin work, purchase materials, or enter into subcontracts relating to the project until both the successful offeror and STATE sign the contract. 7.18 Protest and Appeal North Dakota law provides that an interested party may protest a solicitation. If an interested party wishes to protest the content of this RFP, the protest must be received, in writing, by the procurement officer at least seven calendar days before the deadline for receipt of proposals. An interested party may protest the award or proposed award of a contract. If an offeror wishes to protest the award of a contract or proposed award of a contract, the protest must be received, in writing, by the procurement officer within seven calendar days after the date the Notice of Intent to Award was issued.

21

ATTACHMENT 1 SIEM MANAGEMENT AND MONITORING CONTRACT 1. PARTIES The parties to this contract (Contract) are the state of North Dakota, acting through its Bank of North Dakota (STATE), and having its principal place of business at (CONTRACTOR); 2. SCOPE OF WORK CONTRACTOR, in exchange for the compensation paid by STATE under this Contract, shall provide the following services: 3. COMPENSATION a. Contractual Amount STATE shall pay for the accepted services provided by CONTRACTOR under this Contract an amount not to exceed (Contractual Amount). The Contractual Amount is firm for the duration of the Contract and constitutes the entire compensation due CONTRACTOR for performance of its obligations under this Contract regardless of the difficulty, materials or equipment required, including fees, licenses, overhead, profit and all other direct and indirect costs incurred by CONTRACTOR except as provided by an amendment to this Contract. b. Invoicing The final cost set forth on each invoice shall be equivalent to the cost for each deliverable or service as specified in the Scope of Work. CONTRACTOR shall not submit an invoice for any deliverable or service specified in the Scope of Work that STATE has not fully accepted. c. Payment Payment made in accordance with this Compensation section shall constitute payment in full for the services and work performed and the deliverables provided under this Contract and CONTRACTOR shall not receive any additional compensation hereunder. STATE shall make payment under this Contract within forty-five (45) calendar days after receipt of an approved invoice. Payment of an invoice by STATE will not prejudice STATE’s right to object to or question that or any other invoice or matter in relation thereto. CONTRACTOR's invoice will be subject to reduction for amounts included in any invoice or payment made which are determined by STATE not to constitute allowable costs, on the basis of audits conducted in accordance with the terms of this Contract. At STATE’s sole discretion, all payments shall be subject to reduction for amounts equal to prior overpayments to CONTRACTOR.

22

For any amounts that are or will become due and payable to STATE by CONTRACTOR, STATE reserves the right to deduct the amount owed from payments that are or will become due and payable to CONTRACTOR under this Contract. d. Travel CONTRACTOR acknowledges travel costs are covered by the Contractual Amount and shall not invoice STATE for travel costs. e. Prepayment STATE will not make any advance payments before performance by CONTRACTOR under this Contract. f. Payment of Taxes by State STATE is not responsible for and will not pay local, state, or federal taxes. STATE sales tax exemption number is E-2001. STATE will furnish certificates of exemption upon request by CONTRACTOR. g. Taxpayer ID CONTRACTOR’s federal employer ID number is: ______________________. h. Purchasing Card

STATE may make a payment using a government credit card. CONTRACTOR will accept a government credit card without passing the processing fees for the government credit card back to STATE. 4. EQUIPMENT, MATERIALS, AND WORKSPACE – RESOURCES PROVIDED BY PARTIES For periods during which the parties mutually agree that CONTRACTOR’s assigned staff is on site: a. On site means 1200 Memorial Highway., Bismarck ND. b. STATE agrees to provide an adequate working space. c. Equipment and software for on-site CONTRACTOR personnel is to be provided by CONTRACTOR. When STATE and CONTRACTOR agree that remote access to systems is required, STATE shall provide the necessary supervised remote access security to enable CONTRACTOR access to the appropriate STATE systems. 5. TERM OF CONTRACT This Contract begins on and ends on , 20 (INSERT 1 YEAR FROM EXECUTION.

a. No Automatic Renewal This Contract will not automatically renew. b. Extension Option STATE reserves the right to extend the Contract for an additional period of time, not to exceed twelve months, beyond the current termination date of the Contract.

23

c. Renewal Option STATE may renew this Contract upon satisfactory completion of the initial Contract term. STATE reserves the right to execute up to four options to renew this Contract under the same terms and conditions for a period of up to twelve months each. d. Renegotiation Option In view of the fact that it is unknown how long the services will be employed by STATE and that STATE may seek CONTRACTOR’s services on other business units or implementation of recommendations provided by CONTRACTOR after completion of the initial term of the Contract including any extensions. STATE and CONTRACTOR may renegotiate the Contract upon mutual agreement of the parties. 6. TERMINATION a. Termination by Mutual Agreement This Contract may be terminated by mutual consent of both parties executed in writing. b. Termination without Cause STATE may terminate this Contract in whole or in part when it has determined that continuing the Contract is no longer necessary or would not produce beneficial results commensurate with the further expenditure of public funds. c. Termination for Lack of Funding or Authority STATE, by written notice of default to CONTRACTOR, may terminate the whole or any part of this Contract under any of the following conditions: 1) If funding from federal, state, or other sources is not obtained and continued at levels sufficient to allow for purchase of the services or supplies in the indicated quantities or term. 2) If federal or state laws or rules are modified or interpreted in a way that the services are no longer allowable or appropriate for purchase under this Contract or are no longer eligible for the funding proposed for payments authorized by this Contract. 3) If any license, permit, or certificate required by law or rule, or by the terms of this Contract, is for any reason denied, revoked, suspended, or not renewed. Termination of this Contract under this subsection is without prejudice to any obligations or liabilities of either party already accrued prior to termination. d. Termination for Cause. STATE may terminate this Contract effective upon delivery of written notice to CONTRACTOR, or any later date stated in the notice: 1) If CONTRACTOR fails to provide services required by this Contract within the time specified or any extension agreed to by STATE; or 2) If CONTRACTOR fails to perform any of the other provisions of this Contract, or so fails to pursue the work as to endanger performance of this Contract in accordance with its terms. The rights and remedies of STATE provided in this subsection are not exclusive and are in addition to any other rights and remedies provided by law or under this Contract.

24

7. SUSPENSION FOR CONVENIENCE STATE shall have the right at any time to order the services of CONTRACTOR fully or partially stopped for STATE’s own convenience. STATE shall provide CONTRACTOR written notice of the reason for and duration of the suspension. The schedule shall be delayed on a day-for-day basis to the extent STATE has issued a stop work order to CONTRACTOR and such stop work order is causing delays in completing services in accordance with the schedule. CONTRACTOR shall have the right to submit claims in accordance with the terms of this Contract as a result of stop work orders issued under this section. 8. FORCE MAJEURE Neither party shall be held responsible for delay or default caused by fire, riot, terrorism, acts of God or war if the event is beyond the party’s reasonable control and the affected party gives notice to the other party immediately upon occurrence of the event causing the delay or default or that is reasonably expected to cause a delay or default. 9. INJUNCTIVE RELIEF CONTRACTOR shall immediately report to STATE any and all unauthorized disclosures or uses of STATE’s Confidential Information or Proprietary Information of which CONTRACTOR or its staff is aware or has knowledge. CONTRACTOR acknowledges that any unauthorized publication or disclosure of STATE’s Confidential Information or Proprietary Information to others may cause immediate and irreparable harm to STATE. If CONTRACTOR should publish or disclose such Confidential Information or Proprietary Information without authorization, STATE shall immediately be entitled to injunctive relief or any other remedies to which it is entitled under law or equity without requiring a cure period. CONTRACTOR shall indemnify, defend, and hold harmless STATE from all damages, costs, liabilities, and expenses (including without limitation reasonable attorneys’ fees) caused by or arising from CONTRACTOR’s unauthorized notification or disclosure of STATE’s Confidential Information or Proprietary Information. As a condition to these indemnity obligations, STATE will provide CONTRACTOR with prompt notice of any claim of which STATE is aware and for which indemnification shall be sought under this Contract and shall cooperate in all reasonable respects with CONTRACTOR in connection with any such claim. 10. RIGHT TO WITHHOLD AMOUNTS OTHERWISE DUE IF THE CONTRACTOR IS IN BREACH If CONTRACTOR fails to deliver Deliverables or to provide Services which satisfy CONTRACTOR’s obligations under this Contract, STATE shall have the right to withhold any and all payments due under this Contract. STATE may withhold any and all such payments due under this Contract to CONTRACTOR without penalty or work stoppage by CONTRACTOR, until such failure to perform is cured. 11. RIGHT TO REMEDIES AND CUMULATION OF RIGHTS No remedy conferred by any of the specific provisions of the Contract is intended to be exclusive of any other remedy, and each and every remedy shall be cumulative and shall be in addition to every other remedy given under this Contract, now or in the future existing at law or in equity or by statute or otherwise. 12. NON-WAIVER Either party’s failure to exercise any of its rights under the Contract, its delay in enforcing any right, or its waiver of its rights on any occasion, shall not constitute a waiver of such rights on any other occasion. No course of dealing by either party in exercising any of its 25

rights shall constitute a waiver thereof. No waiver of any provision of the Contract shall be effective unless it is in writing and signed by the party against whom the waiver is sought to be enforced. 13. INDEMNITY CONTRACTOR agrees to defend, indemnify, and hold harmless the state of North Dakota, its agencies, officers and employees (the State), from and against claims based on the vicarious liability of the State or its agents, but not against claims based on the State’s contributory negligence, comparative and/or contributory negligence or fault, sole negligence, or intentional misconduct. The legal defense provided by CONTRACTOR to the State under this provision must be free of any conflicts of interest, even if retention of separate legal counsel for the State is necessary. Any attorney appointed to represent the State must first qualify as and be appointed by the North Dakota Attorney General as a Special Assistant Attorney General as required under N.D.C.C. § 54-12-08. CONTRACTOR also agrees to defend, indemnify, and hold the State harmless for all costs, expenses and attorneys' fees incurred if the State prevails in an action against CONTRACTOR in establishing and litigating the indemnification coverage provided herein. This obligation shall continue after the termination of this Contract. 14. INTELLECTUAL PROPERTY INFRINGEMENT INDEMNIFICATION a. CONTRACTOR, at its own expense, shall defend and indemnify STATE against claims that products furnished under this Contract infringe a United States patent or copyright or misappropriate trade secrets protected under United States law. b. As to any product which is subject to a claim of infringement or misappropriation, CONTRACTOR may (a) obtain the right of continued use of the product for STATE or (b) replace or modify the product to avoid the claim. If neither alternative is available on commercially reasonable terms then, at the request of CONTRACTOR, any applicable Software license and its charges will end, STATE will stop using the product, and will return the product to CONTRACTOR. Upon return of the product, CONTRACTOR will give STATE a credit for the price paid to CONTRACTOR, less a reasonable offset for use and obsolescence. 15. REPRESENTATIONS AND WARRANTIES CONTRACTOR represents and warrants to STATE that neither CONTRACTOR, in connection with performing the services in performance of this Contract, nor the completed product delivered by CONTRACTOR, will infringe any patent, copyright, trademark, trade secret or other proprietary right of any person. CONTRACTOR further represents and warrants to STATE that it will not use any trade secrets or confidential or proprietary information owned by any third party in performing the services related to this Contract or in delivery of the completed product unless CONTRACTOR has the authority to license, use or provide those trade secrets or confidential or proprietary information to STATE. CONTRACTOR further represents and warrants to STATE that neither CONTRACTOR nor any other company or individual performing services pursuant to this Contract is under any obligation to assign or give any work done under this Contract to any third party. 16. INSURANCE CONTRACTOR shall secure and keep in force during the term of this Contract and CONTRACTOR shall require all subcontractors, prior to commencement of an agreement between CONTRACTOR and the subcontractor, to secure and keep in force during the term of this Contract, from insurance companies, government self-insurance pools or government 26

self-retention funds, authorized to do business in North Dakota, the following insurance coverages: 1) Commercial general liability, including premises or operations, contractual, and products or completed operations coverages (if applicable), with minimum liability limits of $250,000 per person and $1,000,000 per occurrence. 2) Automobile liability, including Owned (if any), Hired, and Non-Owned automobiles, with minimum liability limits of $250,000 per person and $1,000,000 per occurrence. 3) Workers compensation coverage meeting all statutory requirements. The policy shall provide coverage for all states of operation that apply to the performance of this contract. 4) Employer’s liability or “stop gap” insurance of not less than $1,000,000 as an endorsement on the workers compensation or commercial general liability insurance. The insurance coverages listed above must meet the following additional requirements: 1) Any deductible or self-insured retention amount or other similar obligation under the policies shall be the sole responsibility of CONTRACTOR. 2) This insurance may be in policy or policies of insurance, primary and excess, including the so-called umbrella or catastrophe form and must be placed with insurers rated “A-” or better by A.M. Best Company, Inc., provided any excess policy follows form for coverage. Less than an “A-” rating must be approved by the State. The policies shall be in form and terms approved by the State. 3) The duty to defend, indemnify, and hold harmless the State under this agreement shall not be limited by the insurance required in this agreement. 4) The state of North Dakota and its agencies, officers, and employees (the State) shall be endorsed on the commercial general liability policy, including any excess policies (to the extent applicable), as additional insured. The State shall have all the benefits, rights and coverages of an additional insured under these policies that shall not be limited to the minimum limits of insurance required by this agreement or by the contractual indemnity obligations of CONTRACTOR. 5) The insurance required in this agreement, through a policy or endorsement, shall include: a) “Waiver of Subrogation” waiving any right to recovery the insurance company may have against the State; b) A provision that CONTRACTOR’s insurance coverage shall be primary (i.e. pay first) as respects any insurance, self-insurance or self-retention maintained by the State and that any insurance, self-insurance or self-retention maintained by the State shall be in excess of CONTRACTOR’s insurance and shall not contribute with it; c) Cross liability/severability of interest for all policies and endorsements; d) The legal defense provided to the State under the policy and any endorsements must be free of any conflicts of interest, even if retention of separate legal counsel for the State is necessary; e) The insolvency or bankruptcy of the insured CONTRACTOR shall not release the insurer from payment under the policy, even when such insolvency or bankruptcy prevents the insured CONTRACTOR from meeting the retention limit under the policy. 6) CONTRACTOR shall furnish a certificate of insurance to the undersigned State representative prior to commencement of this agreement. All endorsements shall be provided as soon as practicable. 7) Failure to provide insurance as required in this agreement is a material breach of contract entitling STATE to terminate this agreement immediately. 8) CONTRACTOR shall provide at least 30 day notice of any cancellation or material change to the policies or endorsements. 27

17. WORK PRODUCT All work product, equipment or materials created for STATE or purchased by STATE under this Contract belong to STATE and must be immediately delivered to STATE at STATE's request upon termination of this Contract. 18. NOTICE All notices or other communications required under this Contract must be given by registered or certified mail and are complete on the date postmarked when addressed to the parties at the following addresses: STATE

CONTRACTOR

Charlie Tweet Bank of North Dakota 1200 Memorial Highway Bismarck, ND 58506-5509

Name Title Address City, State, Zip

Notice provided under this provision does not meet the notice requirements for monetary claims against STATE found at N.D.C.C § 32-12.2-04. 19. CONFIDENTIALITY CONTRACTOR shall not to use or disclose any information it receives from STATE under this Contract that STATE has previously identified as confidential or exempt from mandatory public disclosure except as necessary to carry out the purposes of this Contract or as authorized in advance by STATE. STATE shall not to disclose any information it receives from CONTRACTOR that CONTRACTOR has previously identified as confidential and that STATE determines in its sole discretion is protected from mandatory public disclosure under a specific exception to the North Dakota public records law, N.D.C.C. ch. 44-04. The duty of STATE and CONTRACTOR to maintain confidentiality of information under this section continues beyond the term of this Contract. 20. COMPLIANCE WITH PUBLIC RECORDS LAWS CONTRACTOR understands that, except for disclosures prohibited in this Contract, STATE must disclose to the public upon request any records it receives from CONTRACTOR. CONTRACTOR further understands that any records obtained or generated by CONTRACTOR under this Contract, except for records that are confidential under this Contract, may, under certain circumstances, be open to the public upon request under the North Dakota public records law. CONTRACTOR agrees to contact STATE immediately upon receiving a request for information under the public records law and to comply with STATE’s instructions on how to respond to the request. 21. INDEPENDENT ENTITY CONTRACTOR is an independent entity under this Contract and is not a STATE employee for any purpose, including the application of the Social Security Act, the Fair Labor Standards Act, the Federal Insurance Contribution Act, the North Dakota Unemployment Compensation Law and the North Dakota Workforce Safety and Insurance Act. CONTRACTOR retains sole and absolute discretion in the manner and means of carrying out CONTRACTOR’s activities and responsibilities under this Contract, except to the extent specified in this Contract.

28

22. ASSIGNMENT AND SUBCONTRACTS CONTRACTOR may not assign or otherwise transfer or delegate any right or duty without STATE’s express written consent. However, CONTRACTOR may enter into subcontracts provided that any subcontract acknowledges the binding nature of this Contract and incorporates this Contract, including any exhibits. CONTRACTOR is solely responsible for the performance of any subcontractor. CONTRACTOR does not have the authority to Contract for or incur obligations on behalf of STATE. 23. SPOLIATION – NOTICE OF POTENTIAL CLAIMS CONTRACTOR shall promptly notify STATE of all potential claims that arise or result from this Contract. CONTRACTOR shall also take all reasonable steps to preserve all physical evidence and information that may be relevant to the circumstances surrounding a potential claim, while maintaining public safety, and grants to STATE the opportunity to review and inspect the evidence, including the scene of an accident. 24. MERGER AND MODIFICATION, CONFLICT IN DOCUMENTS This Contract, including the following documents, constitutes the entire agreement between the parties. There are no understandings, agreements, or representations, oral or written, not specified within this Contract. This Contract may not be modified, supplemented or amended, in any manner, except by written agreement signed by both parties. Notwithstanding anything herein to the contrary, in the event of any inconsistency or conflict among the documents making up this Contract, the documents must control in this order of precedence: a. The terms of this Contract as may be amended; b. ; c. STATE’s RFP number 110.7-14-059, dated November 26, 2014; and d. CONTRACTOR’s proposal dated in response to RFP number 110.7-14059. 25. SEVERABILITY If any term of this Contract is declared to be illegal or unenforceable by a court having competent jurisdiction, the validity of the remaining terms is unaffected and, if possible, the rights and obligations of the parties are to be construed and enforced as if the Contract did not contain that term. 26. APPLICABLE LAW AND VENUE This Contract is governed by and construed in accordance with the laws of the State of North Dakota. Any action to enforce this Contract must be brought and solely litigated in the District Court of Burleigh County, North Dakota. Each party consents to the exclusive jurisdiction of such court and waives any claim of lack of jurisdiction or forum non conveniens. 27. ALTERNATIVE DISPUTE RESOLUTION – JURY TRIAL STATE does not agree to any form of binding arbitration, mediation, or other forms of mandatory alternative dispute resolution. The parties have the right to enforce their rights and remedies in judicial proceedings. STATE does not waive any right to a jury trial. 29

28. ATTORNEY FEES AND COSTS In the event a lawsuit is instituted by STATE to obtain performance under this Contract, and STATE is the prevailing party, CONTRACTOR shall, except when prohibited by N.D.C.C. §28-26-04, pay STATE’s reasonable attorney fees and costs in connection with the lawsuit. 29. NONDISCRIMINATION AND COMPLIANCE WITH LAWS CONTRACTOR agrees to comply with all applicable laws, rules, regulations and policies, including those relating to nondiscrimination, accessibility and civil rights. CONTRACTOR agrees to timely file all required reports, make required payroll deductions, and timely pay all taxes and premiums owed, including sales and use taxes and unemployment compensation and workers' compensation premiums. CONTRACTOR shall have and keep current at all times during the term of this Contract all licenses and permits required by law. 30. STATE AUDIT All records, regardless of physical form, and the accounting practices and procedures of CONTRACTOR relevant to this Contract are subject to examination by the North Dakota State Auditor, the Auditor’s designee, or Federal auditors. CONTRACTOR shall maintain all of these records for at least three (3) years following completion of this Contract and be able to provide them at any reasonable time. STATE, State Auditor, or Auditor’s designee shall provide reasonable notice. 31. EFFECTIVENESS OF CONTRACT This Contract is not effective until fully executed by all parties. CONTRACTOR BY: Date:

STATE OF NORTH DAKOTA Acting through its Bank of North Dakota BY: Charlie Tweet Information Security Manager Date:

30

EXHIBIT A SCOPE OF WORK Reserved

31

ATTACHMENT 2 PROPOSAL EVALUATION WORKSHEET

All proposals will be reviewed to determine if they are responsive to the RFP requirements. ROLE OF COMMITTEE. The role of the evaluation committee is to award points to the proposal so that they may be ranked. ROLE OF COMMITTEE MEMBER: The role of the evaluation committee member is to be one of several evaluators on the evaluation committee. An evaluation committee member shall apply independent judgment in awarding points to the proposal for the purpose of ranking them. CONFLICT OF INTEREST: Each evaluator must review the list of offerors submitting proposals and determine if they or any immediate family members have a conflict of interest with regard to an offeror, in accordance with N.D.A.C. § 4-12-04-04. By signature on a proposal evaluation worksheet, evaluator is confirming no conflict of Interest exists with the offeror being evaluated. EVALUATION WORKSHEET INSTRUCTIONS FOR EVALUATORS: STATE has assigned each evaluation criterion a specific number of points. The questions under each evaluated area help you measure the quality of an offeror’s proposal. Do not assign points to individual questions: instead, award a total score for each evaluation criterion. Each worksheet must be completed in full, signed and dated by the evaluation committee member. RATING SCALE: STATE intends this rating scale to establish guidelines within that range to ensure members of the RFP evaluation committee perform their evaluation with consistency. You may assign any value for a given criteria from 0 to the maximum number of points. A zero value typically constitutes no response or an inability of the offeror to meet the criterion. In contrast, the maximum value should constitute a high standard of meeting the criterion For Example: “Experience and Qualifications” is an evaluation criterion receiving a maximum of 30 possible points. The rating scale would be: Rating Scale (30 POINT Maximum) Point Value 0

Explanation None. Not addressed or response of no value

1-7

Fair. Limited applicability

8-15

Good. Some applicability

16-23

Very Good. Substantial applicability

24-30

Excellent. Total applicability

COST PROPOSAL: The offeror is required to place cost proposals in a separate sealed envelope, and the pricing will not be disclosed to the evaluation committee until after the initial evaluation of proposals is completed.

32

PROPOSAL EVALUATION WORKSHEET RFP Number and Title Name of Offeror Name of Evaluator Signature of Evaluator

Plan for Accomplishing the Scope of Work Forty (40) of the total possible evaluation points will be assigned to this criterion. Rating Scale Point Value 0

Explanation None. Not addressed or response of no value

1-10

Fair. Limited applicability

11-20

Good. Some applicability

21-30

Very Good. Substantial applicability

31-40

Excellent. Total applicability

Proposals will be evaluated against the questions set out below. Do not assign points to individual questions; instead, award a total score for each evaluation criterion. a) How well has the offeror demonstrated a thorough understanding of the requirements and scope of the RFP? Has the offeror demonstrated an understanding of the deliverables STATE expects it to provide? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

b) How well has the offeror illustrated the methodology it intends to employ in accomplishing the scope of work as described in the RFP? Does the methodology depict a plausible and logical approach to accomplishing the scope of work? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

33

c) How well has the offeror demonstrated an understanding of the State's time schedule and ability to meet it? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

d) Has the offeror clearly indicated the number and type of resources it plans to utilize in accomplishing the scope of work? Has offeror clearly indicated the amount of time expected to be spent onsite versus offsite, including type of work to be performed at each site? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

e) Has the offeror clearly indicated the expectation of STATE resource availability by amount of time and type of resource? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

TOTAL SCORE

____________

34

Experience and Qualifications Thirty (30) of the total possible evaluation points will be assigned to this criterion. Rating Scale Point Value 0

Explanation None. Not addressed or response of no value

1-7

Fair. Limited applicability

8-15

Good. Some applicability

16-23

Very Good. Substantial applicability

24-30

Excellent. Total applicability

Proposals will be evaluated against the questions set out below. Do not assign points to individual questions; instead, award a total score for each evaluation criterion. a) Has the offeror illustrated its technical expertise as a MPSS for SIEM management and monitoring? Has the offeror provided two (2) examples of SIEM management and monitoring? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

c) Has the offeror illustrated its skill and experience in facilitating information gathering sessions? Has the offeror described how its knowledge and experience in facilitating information gathering sessions will serve to accomplish the work described in the scope of work? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

d) Has the offeror provided information specific to the key staff anticipated to be assigned to accomplish the scope of work, including name, title, description of role and responsibilities, description of education background, training, professional experience, skills, certifications and other qualifications relevant for this RFP, and a listing of recent assignments with scope of work similar to this RFP? How well do these resources match the expectations necessary to accomplish the scope of work? Do the individuals anticipated to be assigned to the project have experience on similar projects? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________

35

________________________________________________________________________________________ ________________________________________________________________________________________

e) Did the offeror supply three (3) references? Did the references provide information to verify satisfactory performance of the offeror? EVALUATOR'S NOTES _____________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________ ________________________________________________________________________________________

f) Does the offeror have experience working with the banking industry? EVALUATOR'S NOTES ____________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ TOTAL SCORE

____________

Criterion

Points Assigned

Plan for Accomplishing the Scope of Work

40

Experience and Qualifications

30 Sum of Technical Proposal Score

36

Total Score

ATTACHMENT 3 COST PROPOSAL FORMAT Name of Offeror: _______________________________________________ Please complete the following chart. Additional rows can be added if needed. Deliverables: short description of the required and proposed Proposed deliverables contained in its proposal Price Per Deliverable $ $ $ $ $ $ $ Total Firm Fixed Price $ Offeror shall describe any discount terms for prompt payment.

1