SR 04-23-2019 3E
City Council
Report
City Council Meeting: April 23, 2019
Agenda Item: 3.E
1 of 3
To: Mayor and City Council
From: Joseph Cevetello, Chief Information Officer, Information Services Department
Subject: Second Modification to Agreement No. 3440 for Vulnerability Analyst Services
Recommended Action
Staff recommends that the City Council authorize the City Manager to negotiate and
execute a second modification to agreement #3440 in the amount of $150,000 with
Aurora Systems Consulting, Inc., a California-based company, for vulnerability analyst
services for the Information Services Department. This will result in a one year
amended agreement with a new total amount not to exceed $230,000, with future year
funding contingent on Council budget approval.
Summary
The City’s digital infrastructure and data are core to the reliability, effectiveness, and
efficiency of all City services. This will become all the more true as Santa Monica
transforms itself into a true 21st century government. Yet, as the City expands its digital
footprint it also expands its risk to cyberattacks, and this is the impetus for the City
implementing a robust cybersecurity program. To support this initiative, the City has
developed a vulnerability management program utilizing a vulnerability software solution
to identify, assess, and mitigate potential security risks to strengthen overall security
resilience. The City has contracted with Aurora Systems Consulting, Inc. (Aurora) to
configure and administer the vulnerability solution, perform vulnerability scans and track
and report remediation efforts. A recent assessment of the City’s digital ecosystem has
presented additional opportunities to improve the City’s resilience. Therefore, the
agreement with Aurora needs to be extended for an additional eight months to drive
these vital discovery and remediation efforts.
Discussion
The continued expansion of the City’s cybersecurity program, including vulnerability
management, will ensure that Santa Monica has the required security safeguards set-
2 of 3
forth by government regulations mandating the proper handling and safeguarding of
data. Effective vulnerability management will heighten data security, and protect the
confidentiality, integrity, and availability of the systems the City relies on to conduct
business and make decisions. Additionally, the vulnerability management program is a
systematic way to identify and address weaknesses in the City’s information security
defenses. Although it is impossible to prevent a cybersecurity compromise, the
systematic approach to identifying and remediating vulnerabilities can minimize the
entry points that can be exploited by cybercriminals.
Due to a recent assessment that identified opportunities to strengthen the City's digital
ecosystem and the current workload of existing staff, staff recommends extending the
Aurora contract to maintain the necessary momentum to continuously track and monitor
remediation efforts. Consultant services are required to guide staff in the necessary
remediation initiative to properly secure the City. While substantial work has been done
by the consultant to remediate critical vulnerabilities uncovered during a recent
assessment, significant work is still required to ensure that identified vulnerabilities will
not be exploited by cybercriminals to gain unauthorized access to City systems.
Extending the consultant services for an additional eight months will ensure that the City
maintains dedicated resources with requisite expertise for adequate oversight in driving
the remediation efforts until completed.
Implementation of a robust security program aligns with the City’s Framework
Outcomes of Safety and Governance. More specifically, digital resilience will allow the
City to strive to combat intrusions, contain and neutralize breaches, and minimize the
likelihood of financial or reputational loss due to a cybersecurity breach.
Vendor selection
RFP Data
RFP Posting Date
RFP Posted On # of Vendors contacted # of Submittals
Received
09/27/2018 Staff solicited proposals 5 5
RFPs Received Selection Criteria
Aurora Systems Consulting,
Inc.
Municipal Code SMMC 2.24.073
Optiv Security, Inc. Evaluation Criteria Experience and technical competence,
cost of services, and references and Tenable
3 of 3
Insight Public Sector, Inc. prior client experience.
PCM-G
Justification to Award
Staff reviewed all responses based on selection criteria and interviewed all firms. Based on this criteria and
criteria in SMMC 2.24.073, staff recommended Aurora Systems Consulting, Inc. as the best qualified firm for
services to configure and administer the City’s vulnerability solution, based on project approach, in-depth
experience configuring and administering vulnerability software, experience with similar projects, references,
and lowest price.
Financial Impacts and Budget Actions
Staff seeks authority to increase the amount of contract with Aurora Systems
Consulting, Inc. for vulnerability analyst services.
Contract Modification Request
Agreement #
Current Authorized
Amount
Modified Request
Amount
FY 2018-19 Budget Dept
Account #
Total Revised
Contract Amount
3440 $80,000 $150,000 01140001.552010 $230,000
Prepared By: Veronica Mitchell, Information Security Officer
Approved
Forwarded to Council
Attachments:
A. Aurora Oaks Initiative
REFERENCE:
AGREEMENT NO. 10837 (CCS)