Key Lessons From SecuLore’s Experts

Public safety organizations like 911 centers, PSAPs, and ECCs are facing increasingly sophisticated cyber threats. Writing a cybersecurity RFP is more than just a procurement exercise—it’s a strategic decision to protect mission-critical systems and we’re going to show you how to go about writing a cybersecurity RFP in public safety with critical takeaways from our webinar, Securing Public Safety: Navigating the Cybersecurity RFP Process, featuring expert insights from Meara Nightingale and Sue Greentree.

We’ve also included a downloadable planning worksheet to help you put these lessons into action.

Meara Nightingale

Product Manager

Sue Greentree

Operations Support Manager

Public safety agencies are now high-value targets.

According to CTO Sean Scott, “In the past year, there’s been a 63% increase in successful cyberattacks on public safety agencies.” That includes ECCs, PSAPs, and even vendor-connected networks. “We saw 246 separate incidents across 45 states,” Sean explained.

Sue Greentree emphasized, “A lot of agencies are writing cybersecurity RFPs, but they don’t realize they’re leaving out the most important parts — the scope of what they need protected, the service expectations, and even who the vendor should interact with.”

Meara and Sue outlined several recurring issues:

• Vague, generic language
• Missing system scope (CAD, loggers, radio, firewalls
• RFPs ask for ‘monitoring’ but don’t define what that includes.
• Some exclude critical systems like loggers or VPN access.
• Many skip over CJIS or NG911 requirements entirely.
• There’s often no service-level agreement or response expectation written into the RFP.

“A lot of agencies ask for monitoring, but not response. They don’t clarify who should be alerted, when, or what the vendor is responsible for.”

1. Start early and involve all stakeholders (IT, procurement, ops)
2. Clearly define which systems need to be protected
3. Use specific language when outlining the scope and services
4. Structure the evaluation process with transparent scoring and pre-bid Q&A

Your timeline should be fully established before you release your RFP and you should be building in time between between when questions need to be submitted, when answers are posted, and when the response deadline is. Having a good amount of time between those things makes a difference.

Some of the biggest issues in cybersecurity RFPs our experts have seen are “super short timelines” and “vague requirements.”

“If there is a really tight turnaround between when you have answers and when the proposal is due, you may not be getting as good of a response back.”

“Ensuring that when you are putting forth an RFP that there is enough time for you to evaluate for you to get really solid responses back from your RFP is super, super important.”

Meara emphasized that many agencies confuse MDR (Managed Detection & Response) with SOAR (Security Orchestration, Automation, and Response). SOAR is automation-driven and requires a mature internal IT staff. MDR, like SecuLore’s CyberSight™, includes human response and real-time action — something most PSAPs don’t realize they need until it’s too late.

Meara added that RFPs often ask for ‘pen tests’ without understanding how they can disrupt live 911 environments. Instead, she recommended agencies consider non-invasive vulnerability assessments tailored to uptime-critical networks.

• Recommendations from the panel included:
• Require public safety experience — don’t settle for generic vendors
• Ask for examples of reports and response timelines
• Use a clear scoring matrix based on technical fit, response capability, and support
• Avoid proposals that only offer alerting without response

SecuLore has developed a free, fillable Cybersecurity RFP Planning Worksheet to help public safety agencies put these principles into action. Whether you’re starting from scratch or refining an existing process, this tool will help you define what you need, who to involve, and how to plan the RFP timeline.