The URL can be used to link to this page

SR 04-23-2019 3E City Council Report City Council Meeting: April 23, 2019 Agenda Item: 3.E 1 of 3 To: Mayor and City Council From: Joseph Cevetello, Chief Information Officer, Information Services Department Subject: Second Modification to Agreement No. 3440 for Vulnerability Analyst Services Recommended Action Staff recommends that the City Council authorize the City Manager to negotiate and execute a second modification to agreement #3440 in the amount of $150,000 with Aurora Systems Consulting, Inc., a California-based company, for vulnerability analyst services for the Information Services Department. This will result in a one year amended agreement with a new total amount not to exceed $230,000, with future year funding contingent on Council budget approval. Summary The City’s digital infrastructure and data are core to the reliability, effectiveness, and efficiency of all City services. This will become all the more true as Santa Monica transforms itself into a true 21st century government. Yet, as the City expands its digital footprint it also expands its risk to cyberattacks, and this is the impetus for the City implementing a robust cybersecurity program. To support this initiative, the City has developed a vulnerability management program utilizing a vulnerability software solution to identify, assess, and mitigate potential security risks to strengthen overall security resilience. The City has contracted with Aurora Systems Consulting, Inc. (Aurora) to configure and administer the vulnerability solution, perform vulnerability scans and track and report remediation efforts. A recent assessment of the City’s digital ecosystem has presented additional opportunities to improve the City’s resilience. Therefore, the agreement with Aurora needs to be extended for an additional eight months to drive these vital discovery and remediation efforts. Discussion The continued expansion of the City’s cybersecurity program, including vulnerability management, will ensure that Santa Monica has the required security safeguards set- 2 of 3 forth by government regulations mandating the proper handling and safeguarding of data. Effective vulnerability management will heighten data security, and protect the confidentiality, integrity, and availability of the systems the City relies on to conduct business and make decisions. Additionally, the vulnerability management program is a systematic way to identify and address weaknesses in the City’s information security defenses. Although it is impossible to prevent a cybersecurity compromise, the systematic approach to identifying and remediating vulnerabilities can minimize the entry points that can be exploited by cybercriminals. Due to a recent assessment that identified opportunities to strengthen the City's digital ecosystem and the current workload of existing staff, staff recommends extending the Aurora contract to maintain the necessary momentum to continuously track and monitor remediation efforts. Consultant services are required to guide staff in the necessary remediation initiative to properly secure the City. While substantial work has been done by the consultant to remediate critical vulnerabilities uncovered during a recent assessment, significant work is still required to ensure that identified vulnerabilities will not be exploited by cybercriminals to gain unauthorized access to City systems. Extending the consultant services for an additional eight months will ensure that the City maintains dedicated resources with requisite expertise for adequate oversight in driving the remediation efforts until completed. Implementation of a robust security program aligns with the City’s Framework Outcomes of Safety and Governance. More specifically, digital resilience will allow the City to strive to combat intrusions, contain and neutralize breaches, and minimize the likelihood of financial or reputational loss due to a cybersecurity breach. Vendor selection RFP Data RFP Posting Date RFP Posted On # of Vendors contacted # of Submittals Received 09/27/2018 Staff solicited proposals 5 5 RFPs Received Selection Criteria Aurora Systems Consulting, Inc. Municipal Code SMMC 2.24.073 Optiv Security, Inc. Evaluation Criteria Experience and technical competence, cost of services, and references and Tenable 3 of 3 Insight Public Sector, Inc. prior client experience. PCM-G Justification to Award Staff reviewed all responses based on selection criteria and interviewed all firms. Based on this criteria and criteria in SMMC 2.24.073, staff recommended Aurora Systems Consulting, Inc. as the best qualified firm for services to configure and administer the City’s vulnerability solution, based on project approach, in-depth experience configuring and administering vulnerability software, experience with similar projects, references, and lowest price. Financial Impacts and Budget Actions Staff seeks authority to increase the amount of contract with Aurora Systems Consulting, Inc. for vulnerability analyst services. Contract Modification Request Agreement # Current Authorized Amount Modified Request Amount FY 2018-19 Budget Dept Account # Total Revised Contract Amount 3440 $80,000 $150,000 01140001.552010 $230,000 Prepared By: Veronica Mitchell, Information Security Officer Approved Forwarded to Council Attachments: A. Aurora Oaks Initiative REFERENCE: AGREEMENT NO. 10837 (CCS)