DATE: JUNE 23, 2020
SUBJECT:
Title
RESOLUTION SELECTING AND AUTHORIZING PURCHASE OF ANNUAL SUBSCRIPTION SERVICES AND SUPPORT FROM SHI INTERNATIONAL CORP. FOR ENTERPRISE VULNERABILITY MANAGEMENT FROM JULY 23, 2020 THROUGH JULY 22, 2021 FOR A COST OF $44,251 AND AUTHORIZING SUBSEQUENT ANNUAL SUBSCRIPTIONS, WITH AN ESTIMATED FIVE-YEAR TOTAL COST OF OWNERSHIP OF $221,022. THIS WORK HAS BEEN DEEMED AN OPERATIONAL NECESSITY. WITHOUT RENEWAL BY THE DISTRICT, AT ITS DISCRETION, THE AGREEMENT TERMINATES AUTOMATICALLY. FUNDS REQUIRED FOR THE FIRST YEAR HAVE BEEN BUDGETED IN FY20. FUNDS REQUIRED FOR FUTURE YEARS WILL BE BUDGETED IN THE APPROPRIATE FISCAL YEAR, SUBJECT TO BOARD APPROVAL.
Body
EXECUTIVE SUMMARY:
In the fall of 2018, the District experienced a cyber-security event that required examination and advancement of the District's Cybersecurity suite of tools. One of the legacy security tools that needs replacement is a Vulnerability Management Tool (VMT). The new VMT will replace our current one with a next-generation solution that offers better alignment and integration with the District's new technology landscape. This new solution ties into the District's "Cyber Secure Port" strategy to enhance capabilities across people, process, and technology pillars by offering heightened active and continuous assessment and validation of both known and unknown vulnerabilities.
The District utilized an agreement pre-competed by the National Association of State Procurement Officers (NASPO), Software VAR, Contract #: ADSPO16. The pre-competed NASPO contract is for the system, licensing, and implementation of this VMT delivered through SHI International Corp.
Attachment A is the vendor signed Purchase Agreement No. 02-2020BD with SHI International Corp.
The initial Purchase Agreement is for a single year. However, as recommended, staff is seeking authorization to purchase additional annual VMT subscriptions from SHI International Corp. The estimated five-year total cost of ownership (TCO) to procure and implement the VMT system and maintain the service and subscriptions is $221,022. Costs for the annual services and subscriptions from SHI International Corp. are estimated follows:
An effective VMT is critical to the security of the District’s information technology network. In order to ensure continued vulnerability awareness and threat response services, District staff recommends the Board of Port Commissioners (Board) authorize, consistent with BPC Policy No. 110 section II.F, procurement of annual licensing, maintenance, and support for a VMT system with an estimated five-year TCO of $221,022. Consistent with BPC Policy No. 110 section II.F, subsequent purchases of the service and subscriptions beyond the initial one-year term, should such purchases be deemed appropriate and at a reasonable cost, will not require future competition or Board action.
RECOMMENDATION:
Recommendation
Adopt a resolution authorizing a purchase agreement for one year of subscription services from SHI International Corp. for the Vulnerability Management Tool for $44,251, and authorizing subsequent annual subscriptions, to be exercised at the discretion of the District, with an estimated five-year total cost of ownership of $221,022. Funds required for future years will be budgeted in the appropriate fiscal year, subject to Board approval upon adoption of each fiscal year’s budget.
Body
FISCAL IMPACT:
Funds for the first year of this expenditure ($44,251) are included in the approved FY 2020 budget within the Technology Management Program Equipment & Systems expense account and Services - Professional & Other expense accounts. Funds required for future fiscal years will be budgeted for in the appropriate year subject to Board approval upon adoption of each fiscal year’s budget.
Compass Strategic Goals:
This agenda item will help provide a required solution to support the District's Information Security team in the areas of vulnerability assessment, awareness and mitigation. This agenda item supports the following Strategic Goal(s).
• A Port that the public understands and trusts.
• A thriving and modern secure maritime seaport.
• A Port with an innovative and motivated workforce.
• A Port that is a safe place to visit, work and play.
DISCUSSION:
In the fall of 2018, the District experienced a cyber-security event that required examination and advancement of the District's Cybersecurity suite of tools. One of the legacy security tools that needs replacement is a Vulnerability Management Tool (VMT). The new VMT will replace our current one with a next-generation solution that offers better alignment and integration with the District's new technology landscape. This new solution ties into the District's "Cyber Secure Port" strategy to enhance capabilities across people, process, and technology pillars by offering heightened active and continuous assessment and validation of both known and unknown vulnerabilities.
The District utilized an agreement pre-competed and registered with NASPO, as referenced above. The pre-competed NASPO contract is for the system, licensing, and implementation of this VMT, with VMT service and support requirements delivered through Rapid7, the software manufacturer.
Attachment A is the vendor signed Purchase Agreement No. 02-2020BD with SHI International Corp.
Pricing, under this contract, to procure and implement the system and maintain the first year of service and subscriptions is $44,251. The estimated cost for each subsequent year of services, projected out for five years, are outlined in the table above. An effective VMT is critical to the security of the District’s information technology network. The VMT solution to be acquired includes a two-day quick start deployment to accelerate continuous monitoring and vulnerability detection configuration of the hybrid (on-premise data center and cloud) environment, along with integrating existing tools and leveraging cloud-native security features and notification automation of vulnerabilities.
The VMT provides visibility into the vulnerabilities of our IT environment, including local, remote, cloud, and virtual infrastructure. It also brings clarity into how those vulnerabilities translate into business risk and which are most likely to be targeted by attackers.
The VMT analyzes our assets and vulnerability data to identify the singular actions we can take to have the most substantial impact on risk reduction. Live dashboards in VMT update as soon as there's new data, letting us track our attack surface and potential risks as it changes. The views are customizable for different technical teams or stakeholders. This tool empowers the Information Security and IT Operations teams to have confidence that we are keeping our perimeter secure as it expands into the cloud and beyond.
General Counsel’s Comments:
The General Counsel’s Office has reviewed the agenda sheet and attachments, as presented to it, and approves them as to form and legality.
Environmental Review:
The proposed Board action, including without limitation, a resolution authorizing a purchase agreement for one year annual subscription for enterprise vulnerability management, and authorizing subsequent annual subscriptions, to be exercised at the discretion of the District does not constitute a “project” under the definition set forth in California Environmental Quality Act (CEQA) Guidelines Section 15378 because it would not have the potential to result in a direct or indirect physical change in the environment and is, therefore, not subject to CEQA. No further action under CEQA is required.
In addition, the proposed Board action complies with sections 21 and 35 of the Port Act, allow the Board to pass resolutions and to do all acts necessary and convenient for the exercise of its powers. The Port Act was enacted by the California Legislature and is consistent with the Public Trust Doctrine. Consequently, the proposed Board action is consistent with the Public Trust Doctrine.
The proposed Board action does not allow for “development,” as defined in Section 30106 of the California Coastal Act, or “new development,” pursuant to Section 1.a. of the District’s Coastal Development Permit Regulations. Therefore, issuance of a Coastal Development Permit or exclusion is not required.
Equal Opportunity Program:
Not applicable.
PREPARED BY:
Robert Renzulli
Chief Information Security Officer, Information Technology
Attachment(s):
Attachment A: Purchase Agreement