The RFP procurement process is the most detailed procurement procedure that an organization can utilize for the purchase of professional services such as a risk and vulnerability assessment. Depending on the size and scope of the procurement, an RFP procurement process can last months or more than a year if specific procedures and guidelines have to be followed and contract negotiations stall. Deciding on the structure, format, and the actual writing of the RFP document is a very time-consuming effort that typically requires technical and nontechnical support from the RFP project team members. Then the RFP document requires extensive review, editing, and quality assurance so that RFP addendums can be minimized. The more clear and concise the RFP document is, the easier it is for consultants and vendors to respond to the RFP document.
The goal and objective of an RFP procurement process is to develop a detailed but clearly understood RFP document so that the consultant or vendor companies responding can provide cost-competitive RFP responses without violating any procurement laws, mandates, and regulations that may warrant official protest from other RFP respondents. The RFP procurement process includes the following steps:
- Assemble an RFP Project Team Prior to the creation or development of the RFP document, the purchaser or organization purchasing the product or service must be identified and an RFP project team must be created, consisting of an RFP project team leader, a purchasing representative, IT security professionals, and other pertinent technical and nontechnical resources that will assist in the requirements definition, technical and nontechnical descriptions, and the overall structure and format of the RFP document itself.
- Development of RFP Structure and Format Most RFPs are structured and formatted to have a Technical Response section and a Cost Proposal section with separate evaluation criteria for both sections. Federal, state, provincial, county, and municipal governments typically have RFP document templates that are organized according to the procurement laws, mandates, and regulations that must be followed.
- Assemble the RFP Evaluation Team The selection and identification of a qualified RFP evaluation team composed of nontechnical business professionals and technical IT and IT security professionals is critical to ensure an accurate and effective RFP evaluation for the technical and nontechnical sections of the RFP response. In many cases, if a consultant or vendor assisted the organization with the RFP creation and procurement process, they may be precluded from participating in the RFP evaluation process, depending upon procurement rules and guidelines that must be followed.
- Creation of RFP Evaluation Methodology This is one of the most difficult elements of the RFP document to create. Figuring out how the organization is to evaluate the RFP responses is the most important element to provide a fair and equitable evaluation of all RFP responses that are submitted. Many organizations must comply with procurement and purchasing laws, mandates, and regulations, so always confirm whether your organization is under strict guidelines. Many RFP evaluation methodologies are based on a weighted scale and point system that the RFP evaluators review and score for each element in the technical and nontechnical sections of the RFP response.
- Creation of RFP Bid Documents Many pieces of an RFP document must be defined and documented. These pieces are listed in this bulleted list. Creation of the RFP bid documents under procurement law, mandates, and regulations requires the utmost in confidentiality and zero communications with the consultant and vendor community. Failure to comply with procurement laws and procedures can disqualify a consultant or vendor from participating in the RFP process. Many organizations hire outside consultants to assist in the creation of the RFP bid documents, especially if technical or security-related requirements exist. Other organizations rely on the RFP project team to author sections of the RFP document that they have specific expertise in writing.
- Creation of RFP Instructions The RFP instructions must clearly describe and define the procurement laws and procedures that must be followed throughout the RFP process. The RFP instructions must be clearly written to minimize any questions or confusion the consultants or vendors may have regarding the RFP process. The RFP instructions will include specific RFP project timelines, instructions for communicating questions and for obtaining RFP addendums, RFP submittal instructions, and other information pertaining to how to properly respond and submit an RFP response without violating any procurement laws.
- Creation of RFP Mandatory and Technical Requirements Creating the RFP's mandatory minimum and technical requirements for a risk and vulnerability assessment is the most important part of the requirements definitions. In many cases, the purpose for conducting a risk and vulnerability assessment is to provide justification for spending funds on security for the IT infrastructure and assets. In other cases, the purpose of conducting a risk and vulnerability assessment is to assist an organization in defining an IT security architecture and framework based on the gaps and voids that are identified during the assessment. Many IT organizations need to conduct a risk and vulnerability assessment so that the organization can ensure the availability, integrity, and confidentiality of its IT infrastructure and assets. Creation of the RFP's mandatory minimum requirements and technical requirements are critical in order to eliminate organizations that are not financially sound, technically capable, or that require subcontractors to perform a majority of the work instead of having the expertise internal to the consulting or vendor company.
- Public Announcement of RFP Bid Process/Prebid Conference Public procurements such as an RFP for risk and vulnerability assessment services require a public announcement or advertisement in a newspaper. Usually a newspaper advertisement or announcement is used to notify the consultant and vendor community that an RFP is to be released. For complex risk and vulnerability assessments, a prebid conference may be announced to share with the vendor community information about the upcoming RFP document.
- Release of Official RFP Bid Document to Public This is the official date that the RFP bid document will be released to the general public.
- Intent to Submit an RFP Response Many organizations require that any consultant or vendor that intends on submitting a formal RFP response must indicate their intent to submit a Response by a certain date and time. This allows the organization to focus its attention on those consultants and vendors that indicate they are responding to the RFP. All other consultants and vendors are not considered eligible to respond to the RFP after the deadline is passed for indicating the consultant's or vendor's intent to submit an RFP response.
- Conduct RFP Bidder's Conference #1 Typically, three to four weeks after the RFP is publicly released, the purchasing organization conducts an RFP bidder's conference where consultants and vendors can ask questions pertaining to the RFP document and the RFP process itself. This is the only allowed forum for consultants and vendors to ask questions. Typically, answers are provided verbally at the conference; however, all questions and answers are documented and provided to all RFP participants in the form of an official RFP addendum.
- Prepare and Release RFP Bidder's Conference Addendum(s) The RFP may have more than one addendum as a result of the questions asked at the RFP bidder's conference and submitted in writing formally as per the RFP's question submittal instructions. All official correspondence to the consultants and vendors responding to the RFP is done through the RFP addendum.
- Conduct RFP Bidder's Conference #2 (Optional) In the event that a second RFP bidder's conference is required, the organization announces a second conference where formal questions and answers can be provided via the RFP addendum.
- RFP Response Submittal Due Date This is the due date, due time, and submittal address or location for all official RFP responses. Failure to follow the RFP submittal instructions may result in the RFP response being disqualified and not even evaluated. Following the RFP submittal instructions exactly as they are defined is the only way to ensure that the RFP response will be officially accepted by the purchasing organization.
- RFP Public Announcement of Received RFP Responses Upon receipt of submittals and the expiration of the deadline for RFP submittals, the purchasing organization publicly announces which companies submitted an RFP response.
- RFP Evaluation Process Commences with RFP Mandatory Minimum Requirements Review This is a quiet period in which the purchasing organization and the consultants and vendors that submitted an RFP response are not allowed to communicate with one another except through the RFP's submittal instructions for questions and answers, which is done through the RFP addendum. Typically, the RFP's Mandatory Requirements section is reviewed first for the RFP response's compliance with following the submittal instructions. Failure to follow the submittal instructions and RFP mandatory requirements may disqualify the RFP completely. This is critical to understand because nobody wants an RFP response, which is very time consuming to create, to be thrown out and disqualified because of a technicality or failure to meet all of the RFP's mandatory minimum requirements.
- RFP Evaluation Process Continues with Scoring Sheets Filled In and Tabulated After the RFP's mandatory minimum requirements are met, that RFP's technical requirements responses can be examined and analyzed by the RFP evaluation team members. Whether this is a qualitative or quantitative RFP evaluation, each RFP evaluator must evaluate the RFP responses from his or her own perspective and understanding of the project. Typically, RFP evaluators are required to fill in RFP response sheets with scores based on a predefined yardstick. In some cases, a weighted scoring factor may put more value on certain requirements and less value on other requirements as they are evaluated by the RFP evaluators.
- RFP Contract Award Public Announcement When all RFP responses have been completed, tabulated, and compared, the purchasing organization, after careful review and quality assurance of the RFP evaluations, makes an intent to award a contract for the risk and vulnerability assessment. This intent to award is merely thatan intent to award a contract pending contract negotiations and finalization.
- RFP Contract Protest Period For public procurements, a period of protest usually commences after a public announcement is made of the intent to award a contract. Depending on any applicable procurement laws, the protest period starts from the date of intent to award a contract to a specified time that the other consultants and vendors may protest if they can prove or justify that a procurement violation or error in the awarded consultant's or vendor's RFP response warrants the protest. Typically, protesting an intent to award a contract must be done with physical evidence and proof that a violation in the winning consultant's or vendor's RFP response was made. Contract protest hearings are typically conducted to address any protests and to make available to the public the results of the contract protest.
- RFP Contract Award and Contract Negotiations Commence After the protest period expires, the purchasing organization can commence with contract negotiations leading up to an awarded contract.
- RFP Contract Award Is Signed and Executed Upon completion of the contract negotiations, the awarded contract is signed between the purchasing organization and the consultant or vendor who was awarded the contract.
- RFP Contract for Products and/or Services Commences After the contract is engaged, the consultant or vendor commences the risk and vulnerability assessment project with a kick-off meeting to introduce the project team players and the overall project approach that is to be taken for the organization. Interfacing, communicating, and working in conjunction with the organization's IT and IT security staff is typically required and must be planned during the project's kick-off meeting.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template