How to Write a Cybersecurity RFP for Public Safety | Free Webinar
Free Webinar |
Presenters: Sue Greentree & Meara Nightingale
Hosted by SecuLore | Duration: 30–40 minutes + Q&A
🔐 Public Safety Focused
Learn How to Write and Navigate a Cybersecurity RFP That Meets Public Safety Needs
Emergency Communications Centers (ECCs), Public Safety Answering Points (PSAPs), and 911 agencies face unique cybersecurity challenges—and equally unique procurement requirements.
In this expert-led webinar, we’ll walk you through the key elements of writing, issuing, and evaluating a cybersecurity Request for Proposal (RFP) tailored for public safety organizations. Whether you’re looking to upgrade your defenses, meet compliance standards, or find the right cybersecurity partner, this session is built for you.
Designed for directors, managers, and procurement personnel in the public safety sector.
Learn How to Write and Navigate a Cybersecurity RFP That Meets Public Safety Needs
Public safety agencies face unique challenges when procuring cybersecurity solutions. This webinar will demystify the RFP process, offering actionable insights to help ECCs, PSAPs, and 911 centers secure their networks effectively.
What You’ll Learn
Understanding the Cybersecurity Threat Landscape for Public Safety
Explore common vulnerabilities and threats specific to ECCs and PSAPs, including ransomware and TDoS attacks.
Crafting Effective Cybersecurity RFPs
Learn how to articulate your agency’s needs, set clear evaluation criteria, and avoid common pitfalls.
Evaluating Vendor Proposals
Gain insights into assessing vendor capabilities, ensuring compliance with industry standards, and making informed decisions.
Best Practices and Case Studies
Hear real-world examples of successful cybersecurity procurements in the public safety sector.
You’ll walk away with actionable answers to:
Understand what cybersecurity solutions should be included in your RFP
Learn how to evaluate vendors and proposals effectively
Align your RFP with operational needs and compliance standards (CJIS, NG911, etc.)
Avoid common mistakes that can lead to poor cybersecurity outcomes
What to do during a zero-day attack—and how to recover after.
Who Should Attend?
This session is purpose-built for individuals involved in cybersecurity decisions and funding for public safety agencies, including:
ECC/PSAP/911 Directors
IT or Communications Managers in Public Safety
Procurement or Grant Coordinators
Local Government Decision-Makers Overseeing Public Safety Technology
What to do during a zero-day attack—and how to recover after.
Any public safety personnel involved in vendor evaluation or compliance
Whether you’re creating an RFP from scratch or reviewing proposals for cybersecurity services, this webinar will help you do it with confidence and clarity.
Why Watch?
- Tailored Content: Focused on the specific needs and challenges of public safety agencies.
- Expert Speakers: Benefit from the combined expertise of professionals with decades of experience in public safety and cybersecurity.
- Interactive Q&A: Get your questions answered in real-time.
- Actionable Insights: Walk away with practical strategies to enhance your agency’s cybersecurity posture
Speakers
Sue Greentree
Operations Support Manager | SecuLore
Meara Nightingale
Product Manager | SecuLore
Watch On Demand Now
0:04
Hello and welcome to today’s webinar from Secular, Securing Public Safety, Navigating the Cybersecurity RFP Process.
0:12
We’re gonna wait just a few more minutes for some more people to join and then we’re gonna get started.
1:55
All right, thank you for taking the time out of your day to join us for our June, 2025 webinar here at Secular, Securing Public Safety, Navigating the Cybersecurity RFP Process.
2:06
Before we start, I wanna let you know the webinar is being recorded for future viewing.
2:10
You will receive a follow-up email at the end of the week with the recording of today’s presentation, as well as a cybersecurity RFP sample worksheet you can use.
2:19
So look for that in your emails.
2:21
If any questions come to mind to you during the webinar, please use the questions pane in your interface to make sure you ask it.
2:27
Our host will attempt to answer all of your questions throughout the webinar and today at the end with a special Q &A section at the end of the presentation.
2:34
We also have some interactive polls during the webinar, looking forward to interaction and feedback throughout the webinar.
2:40
Secular provides resources on our website to inform our clients and public safety and the entire cyber security community.
2:48
Our resources archive has access to free recordings of all of our past webinars, and this one obviously will be available at the end of the week, and if you would like a PDF of any of the slides in our presentation, please let us know by responding to this in an email and you can follow up.
3:03
We also have an extensive state-by-state cyber attack archive that we update daily with notable cyber attacks that have affected public safety, local government agencies, healthcare, educational institutions, and critical infrastructure.
3:17
Emergency centers, PSAPs, and 911 agencies face unique cybersecurity challenges and equally unique procurement requirements.
3:26
In today’s webinar, we’ll walk you through the key elements of writing, issuing, and evaluating a cybersecurity request for proposal that is tailored for public safety and government.
3:36
Today, you’re gonna learn to understand what cybersecurity solutions should be in your RFP, how to evaluate vendors and proposals effectively, how to align your RFP and operational needs and compliance standards, and avoid common mistakes that can lead to poor outcomes.
3:52
And of course, we have your host for today’s webinar, and that is gonna be Mira Nightingale, our product manager at Secular.
3:59
She has co-developed the cyber benchmark assessments with the executive team.
4:03
She has over five years of cybersecurity experience with a focus on improving and continuously improving secular services and five plus years in project management, as well as being secularist proposal writer extraordinaire.
4:16
And joining Mira today, we have Sue Greentree who is our operations support manager.
4:21
Sue brings 35 years of experience as a PSAP call center operator and administrator.
4:25
She is an active member of the NEED and ABCO organizations.
4:29
She was a governor appointed board member to Maryland 911 policies and standards training subcommittees, and she was appointed to the NG911 commission member, which is chaired by Maryland State Senator Cheryl Kagan.
4:44
So here’s today’s topics.
4:45
We’ll talk about why cybersecurity RFPs matter more than ever, steps to getting better submissions, understanding the cybersecurity service categories.
4:54
We’ll talk about evaluating proposals, and we’ll do a Q &A at the end.
4:59
All right, so why cybersecurity RFPs matter more than ever?
5:02
Cyber attacks against public safety are on the rise.
5:05
We’re seeing a 63% surge against public safety going back to 2023.
5:11
That’s driven by 157% increase in the number of extortion groups.
5:16
Extortion and data theft attacks are frequently far reaching and often disrupt critical systems like CAD with dispatchers and a lot of cases in these attacks are using pen and paper and as a result of attacks in the last year.
5:29
The Public Safety Task Group reported indicated that 2023 to March 2024, there were 16 cyberattacks that affected CADs and PSAPs, which caused an average of 15 days of downtime, which included availability and occurred on average once per month.
5:47
And 75% of those were in outlying networks, so people who are vendors with agencies, and then also moved through the critical CAD systems and PSAP environments to deploy their ransomware.
5:58
We’ll start here with the trends.
6:01
Public safety does have to have 24-7 monitoring detection as well as the ability to respond, whether it’s an in-house vendor and the average cost of a data breach has hit an all-time high in 2024, which was 4.8 million.
6:15
Yeah, an additional note there too.
6:20
CJIS security policy is continuing to add more more NIST 800.53 requirements, which does include continuous monitoring of a large range of IT systems.
6:33
It includes risk assessments on a regular basis, and it does also include that third party assessor requirement.
6:42
So, latest CJIS, I think, was December, late December of last year, right between Christmas and New Year’s, of course, 6.0. So, make sure to keep an eyeball on that.
6:58
ransomware and TDoS attacks against 9-1-1 centers are increasing, and we often see that vague and incomplete RFPs leave critical gaps.
7:06
And remember that cybersecurity really is not just a solution.
7:10
It is a strategy.
7:12
Absolutely.
7:15
Yes.
7:16
As a matter of fact, it was a couple months ago, the agency that I worked with in Maryland was hacked.
7:23
And the 911 Center itself had a slight degree, but of operations that were diminished, but overall records management and all of that kind of a thing.
7:38
So it’s definitely things are increasing dramatically.
7:45
And here are some of the top mistakes in public safety at RFPs.
7:49
So poorly designed ones will attract unqualified vendors and flake costs, give you solutions that are misaligned with what you’re looking for, as well as the requirements that Mira mentioned.
8:01
And failing to define a vendor evaluation criteria is a big one when it comes to mistakes in cybersecurity RFPs for public safety.
8:08
Yeah, this piece here, ensure that the evaluation makes sense for what you’re trying to procure.
8:16
So if you are getting consultancy work done, ensuring that you are looking for resumes, certifications, things like that.
8:25
If you’re really looking for more of a service type solution, depending on, you know, all of the different types of solutions you can get, you may want to focus more on technology, methodologies that are used, if they’ve served clients that are similar in needs and scope to you, understanding if their team is US-based, if they’ve got CJIS training, and what types of certifications they have across the entire team, rather than specific individual members.
9:02
All right, steps to getting better RFP submission.
9:05
So we’ll start with a poll here in this section, and it will ask if you have been involved in a cybersecurity RFP recently.
9:14
Let me go ahead and launch that for everybody and we’ll give everybody about a minute or two to go ahead and vote if you’ve been involved in a cybersecurity RFP recently.
9:36
Got a good amount of people jumping in on this one.
9:41
We’ll give it just a few more seconds.
9:54
There we go.
9:58
All right, let’s go ahead and share the results for everybody here.
10:01
So, it looks like about 40% of people who were in position to review or write one, 40% expect to write one soon and 20% of people are not quite sure at this time.
10:21
So, we’ll get back into that for more.
10:25
All right, so you want to understand how you’re connected, 9-1-1 obviously requires you to connect with those in the outside world and a big piece of how you can get a better RFP is knowing how your IT staff is connected to what you’re using and what devices are connected to your networks.
10:42
And good process in these situations are always going to lead to good results as well.
10:47
That’s in anything in life, but especially RFPs.
10:51
For sure.
10:55
You wanna make sure it accounts for cybersecurity risks, creating good posture, and you also wanna make sure you’re defining what the proposal process is for throughout this.
11:05
So what does good look like?
11:06
A good thing you can go through here is kind of dig out and see what clear and complete scope of coverage here, including specific type of solutions you’re looking for.
11:17
Make sure that your vendor evaluation matrix is included in this.
11:20
We’ll touch on that more in the webinar.
11:22
You wanna have a checklist or templates with guidance provided.
11:25
You wanna make sure you are using best practices that are designed by places like NIST and CISA.
11:31
Those are in the notes here.
11:32
If you want slides from those, we can give you those.
11:34
There’s links to that as well.
11:35
You want to include trading and support and your RFPs as well Sharing your budget details and you also wanted to find what success looks like mirror and sue How can they go about including these things in their proposals?
11:49
Yes, so Go ahead sue. Okay.
11:52
I mean I would start with taking the piece of the budget and your matrix and breaking those into two pieces because because you’ve got to stay within your budget.
12:06
And then you look at the other pieces involved, what kind of technology and such, and you are going to allocate percentages to all of this.
12:19
But the matrix is kind of key in helping you keep everything together and, at the end, have a successful project.
12:30
Yeah, and the specific cyber security solutions.
12:35
I’ve seen some mishaps here.
12:38
We definitely want to ensure that when there isn’t a clear understanding of what type of product you’re looking for, getting clear responses back can be very difficult.
12:52
There are companies that specialize into certain solutions, and if you aren’t clear on what exactly you’re looking for, whether it be, you know, MDR, SOAR assessments versus vulnerability scanning versus penetration testing, because all of those things are different.
13:12
For example, just saying a vulnerability assessment, unless you have a really clear definition of what that means to you, every single vendor in the world has a different definition of what that looks like.
13:25
So does your vulnerability assessment requirement look like having active vulnerability scans within the network?
13:32
Does it have external scans?
13:34
Does it include penetration testing, which is an additional factor on top of those active scans?
13:40
So just ensuring that when you’re including specific cyber solutions, you’re getting really down to the nitty-gritty of what you are looking for that will fulfill your And of course, planning matters in all of this as well.
13:57
You want to lay the groundwork for a successful thing.
13:59
A lot of what Mira was talking about is done in the planning process.
14:03
So you want to make sure all everything is aligned in public sector demands for things like accountability and efficiency.
14:10
And you want to anticipate the needs and engage all of your stakeholders early on in the process.
14:15
You can create RFPs that address both operational and regulatory complexities because those obviously come up quite a bit in this scenario.
14:25
As far as your strategies, too, you want to make sure you’re beginning early, exploring the market, engage all of your stakeholders, whoever those might be, setting your expectations, which Mira just talked about, the expectations of what you want and what versus what vendors are offering, and assess the team capacity.
14:42
And Sue and Mira both have a lot of insight here when it comes to planning and timeline, because this is something we often see that ends up being a mistake where not everybody’s timeline is aligned versus vendors versus requesting the proposals.
14:58
100%.
14:59
So one item I want to mention on a general note here is just make sure that when it comes to timelines in particular, you’ve got your timeline set up within the RFP.
15:15
You have that decision very early on before you release your RFP.
15:20
Ensuring that there is time between when questions need to be submitted from the vendors when you guys post answers and when the response deadline is, like, actually have a good amount of time between those things, it really makes a difference.
15:38
Generally, if a vendor is waiting on an answer to a question, they may not be able to get very far within their response for you guys.
15:47
So if there is a really tight turnaround between when you have answers and when the proposal is due, you may not be getting as good a response back, to be completely honest.
15:59
I’ve seen three days between answers posted and responses due, and that can be really, really difficult because if there are questions about scope, clarification questions and things like that, that can make it difficult.
16:20
Make sure the process runs smoothly too, so talk about why it matters.
16:24
Here are some of the things you want to include throughout the process, which would be a pre-bid conference make sure you’re staying informed throughout plan or evaluate rigorously verify that they have public sector experience and you also want to plan for post-award collaboration anything in this process that stands out to you Mira or Sue?
16:44
I think the yeah hosting a pre-bid conference is super important.
16:55
Sue did you have something on this one as well?
16:57
Yeah I was just going to say is the timelines in all of these and yes, that free bid conference and then making sure that everything has been checked over and over and over again because once those deadlines pass and you have what you have promised or as the agency, what the agency is expecting from you and we need to make sure that they are aligned properly.
17:35
Some additional best practices to go through which we talked about was customizing for public sector needs.
17:40
Want to make sure all of your stakeholders in the organization are best represented throughout so you’re not leaving anybody in the process out to make sure you kind of cover all your bases.
17:50
We talked about the post-award collaboration and then review and refine the process.
17:55
And some considerations I know Mira’s got a point here.
17:58
You want to make sure you’re avoiding developing Any biased RFPs from what might be a pre-selected vendor Mira. Could you kind of explain what that looks like for them?
18:08
Yeah, absolutely.
18:09
So part of this is Obviously part of the process that you want to go through is asking vendors if they’ve got any feedback if they’ve got any you know Recommendations basically that’s totally fine.
18:24
The big thing that you want to avoid is really ensuring that when you are developing the RFP, if you’re paying someone to develop the RFP, that it isn’t towards a really specific thing that maybe they can do.
18:39
But another big thing here is ensuring that because of the new CGIS continuous monitoring and risk assessment requirements, being an independent third party, ensure, ensure, ensure that we are fully independent third party.
18:56
There are biases there that can accidentally be present, even if not purposeful.
19:02
So if you’ve got an infrastructure provider that includes cybersecurity services within their kind of entire umbrella of their product, that’s awesome.
19:14
But you as an agency need to ensure that there is additional third party, basically checks and balances there.
19:22
You need to have a third party from yourselves and you need to have a third party from the infrastructure providers as well.
19:30
And it’s technology updates.
19:32
Obviously, Mira talked about like Cedars requirements, but we know that cybersecurity is changing very quickly.
19:37
So you want to make sure you have your vendors keeping up as well.
19:41
Yeah.
19:41
Yes, forever changing.
19:44
Yeah.
19:45
So what could your requirements be?
19:47
Be detailed and thorough.
19:48
Make sure we talked about internal stakeholders in the discussion.
19:52
You can ask for demos, sample reports, deliverables, those are all things.
19:56
You want to make sure the milestones are defined.
19:58
Like Sue was saying, and you want to make sure once those deadlines pass, it can get kind of tricky there.
20:05
And don’t omit a request for service level agreements and make sure your installation support and service level agreement costs are defined on this as well.
20:14
This is a pretty well-documented process, I would think here.
20:18
100% demonstrations are so, so important, especially if there is a user interaction piece, a UI piece that you guys are going to be utilizing.
20:29
You want to not only see just like high-level specs and stuff like that, that you get from the RP process, but also how does this work?
20:40
Is it intuitive to you?
20:42
Do the sample reports that you see make sense?
20:46
Are they giving you actionable items to work on?
20:50
That’s super important.
20:52
Then of course, SLAs are your protection.
20:55
You need to ensure that you’ve got SLAs, they meet your requirements, if there are questions there, you can nip them in the bud really early on.
21:05
Yeah, and I like to see agencies not only just get the ad hoc reporting that they can get from their systems, but that they’re looking at vendors who can do custom reports for them, because those are very very helpful during investigations and just get all operations really.
21:28
Absolutely.
21:31
All right so we’re going to launch another poll here at the end of this section and I’m going to ask what stage are you currently in with your cyber security planning or procurement?
21:39
So I’m going to launch that poll here give everybody a little bit of time to go ahead and answer where they’re at. So are you beginning to explore your needs?
21:47
Are you recently issued an RFP or evaluating vendors.
21:53
If you’ve already implemented some solutions but want to improve or if you’re maybe not sure, or not involved.
21:58
Actually, I think this is the wrong poll. One out of order here.
22:04
So this is a poll later. It’s your biggest procurement challenge.
22:08
And the challenges are knowing what to ask for evaluating proposals, getting stakeholder buy in or budget limitations.
22:14
I have the polls reversed here. So we’ll come back to this one later.
22:16
But right now you are answering, knowing what to ask for the in your procurement process.
22:22
Evaluating proposals is a challenge for you, whether a stakeholder buy-in’s a challenge for you or budget limitations are a challenge for you.
22:30
Yeah.
22:31
So we’ll go on that side of things first.
22:35
We’ve got decent amount of participation here so far.
22:38
We’ll give it a few more seconds.
22:39
Yeah, it’s looking good.
22:44
All right.
22:48
So it looks like 71% of people are saying that knowing what to ask for is the biggest challenge in their procurement process, which probably isn’t really a surprise, which is why we’re doing this, right?
23:00
Stakeholder buy-in is one of those things as well.
23:03
Budget limitations, we see that all the time, of course, as well.
23:07
But no surprise that knowing what to ask for probably is the most common challenge.
23:13
So we’ll get back to this other poll right now when it comes to planning.
23:17
We’ll start with understanding the service category.
23:19
So here are your tool considerations.
23:21
I’ll kind of let Mira go through this one because she’s more of the expert on this about knowing what tools you want to consider when it comes to your RFPs for cybersecurity services.
23:32
Sure, so there are a lot of tools.
23:34
These are just some buckets that we particularly like, so take it with a grain of salt.
23:41
But MDR monitoring, it’s 24 by seven monitoring, SOC-based solution will really assist you and your team.
23:51
This also generally will help you check that box for at least part of your continuous monitoring requirement from CEGIS, so that is one of the reasons why it’s in here.
24:02
Vulnerability assessments, obviously, I believe the requirement from CEGIS is at least annually to be doing vulnerability assessments.
24:12
You can kind of dig into exactly what that means to you. Sometimes that includes penetration testing is not required in CEGIS.
24:20
I don’t believe last time I looked through it, but you definitely want to have at least a vulnerability assessment on a annual basis and then vulnerability scanning, which are two different things, on a monthly basis and those will help you fulfill those CEGIS requirements. So super high level vulnerability assessments.
24:43
Look at kind of an overarching, not necessarily always high-level view, sometimes they can get more granular, but they’re looking at an overarching risk posture, whereas vulnerability scanning is very specific and targeted.
24:58
It is an active scan within the network, whereas sometimes vulnerabilities assessments can include an active scan, but sometimes they’re also passive.
25:07
So that’s why we have them split out as two separate things, because they are two separate requirements within CJIS.
25:13
And then, of course, your cyber hygiene training is what we call it, but any security awareness training.
25:19
This is for all personnel.
25:22
Human error is, unfortunately, our top risk. We’re all human. We all have tired days, bad days.
25:30
We accidentally click links.
25:32
We accidentally bring in, well, maybe not accidentally, but don’t know any better, and bring in a BYOD device that we, you know, plug into the system not aware of policies.
25:42
ensuring that we’ve got security awareness training on at least an annual basis, and that it is part of your onboarding process.
25:52
These are really important pieces for just general tool considerations.
25:56
There are more out there, of course, but these will help you check some of your boxes.
26:02
We’ll get into these a little bit deeper, but I do believe that later this year, we will have a webinar on bring your own device and how that affects public safety, because that’s what everyone’s getting into.
26:13
This is another piece too that I think everybody gets confused about, Mira was talking about, making sure you are clarifying what these are.
26:20
So this is just a good example of what we mean by clarification and Mira can kind of go through it and give you a little bit of overview of why it’s important to define exactly what you want versus what the vendor offers.
26:32
Absolutely, so similarly to vulnerability assessments, which is very broad ranging definition.
26:40
Network monitoring can also be kind of broad.
26:44
MDR, SOAR, these are all different levels and different types of tools for similar requirements.
26:53
So network monitoring would be basic alerts.
26:57
It would be a tool for your in-house team typically.
27:02
There isn’t any action built into the tool necessarily.
27:06
This is just basic awareness for your team.
27:08
So then your team would be looking at the alerts on a consistent basis, enacting or mediation, et cetera, et cetera.
27:16
MDR, which is managed detection and response, is a more managed solution, right?
27:24
So something that we offer 24 by seven SOC.
27:28
This not only has active alerts, it also has a response, which is usually escalation or de-escalation in some cases from real people, right?
27:43
This is not necessarily just an automated tool.
27:46
We’ve got people who are looking at this on a constant basis for you.
27:50
And that’s fairly typical of most MDRs I’ve seen out there.
27:55
SOAR, which is security, orchestration, and automation and response.
28:02
It’s really a tool.
28:03
Sometimes a SOAR is paired with something like an MDR, where you’ll have a SOC involved, and watching and ensuring that the automations go through.
28:17
But just because someone is selling a SOAR, does not mean inherently that there is a SOC involved.
28:23
A lot of the time, when I’ve seen SOAR solutions, this is again a tool for your team, kind of like the network monitoring piece, but a lot more advanced.
28:35
It has automation playbooks, which are basically like workflows that are, if then yes, no type of workflows that things go through as alerts go off, some things get potentially blocked automatically or endpoints get isolated automatically.
28:52
There is a risk here though, potentially for that automation, right?
28:56
If we are talking about having a SOAR active in a 9-1-1 CPE network or a CAD network, we can’t just have that automation go off on a CAD workstation that’s actively being used, right?
29:10
So if you are getting a SOAR, just ensure that whomever you are working with is very cognizant of the extremely critical nature of some of the endpoints involved and ensuring that automations do not necessarily go off on those devices that you have the alerting capabilities.
29:30
Your IT team’s obviously aware of what’s going on, but it does typically require a more mature internal team that this is their job, full-time job.
29:45
So some of our smaller PSAPs might struggle with having just a SOAR in place versus something that’s a little bit more managed.
29:53
So again, make sure that you’re just qualifying exactly what you’re wanting.
29:57
If you’re just wanting, you know, network monitoring, totally fine.
30:01
Your IT team can deal with the alerts.
30:03
If you’re wanting MDR, more managed solution, separate.
30:07
SOAR is also separate.
30:11
And to use vulnerability assessments too.
30:13
This is really more of a thing you can follow on your own, but it’s also just evaluating when you use these things, rank reports, quarterly and monthly, which Mira talked about, and then matching the frequency and risk level to staffing.
30:27
Absolutely. Yep. Yeah, pen testing. Yeah, pen testing.
30:33
There are mixed opinions on pen testing for public safety, I understand. Yes.
30:38
But make sure you’re defining the scope and tools and the timing. Yeah. Yeah.
30:43
The big thing here is if you’re going to do pen testing, ensure that you understand the risk because pen testing, true, true penetration testing is not a vulnerability scan, it is a vulnerability scan and an exploitation of any, or maybe not any, but a defined number of vulnerabilities found.
31:04
And the risk there is when exploiting vulnerabilities, you can break things.
31:11
So if you’re going to do a live public safety test, there are some folks, some folks that manage CPE networks some vendors that manage CPE networks that have experience in this and they know all of the pitfalls, just make sure that you’re aware and if you’re gonna do a live public safety system directly that your backup is ready to go, you can cut over no problem, that the team is aware that that might happen during the testing, et cetera, et cetera.
31:41
I usually would recommend doing the backup site first to see what vulnerabilities are present, fix them on the live network and then do the live network in preparation for that.
31:50
But yes, absolutely.
31:51
Make sure that there are safety requirements in place too.
31:54
So, um, if you’re running things at 2 AM, that it’s not just an automated thing running at 2 AM, that there is someone there that can press the stop button, um, and make sure that there isn’t more damage done potentially.
32:11
So.
32:12
But cyber hygiene training a little bit.
32:13
So you want to make sure all these things tailored by the roles.
32:16
You can do it for staff, IT dispatchers, or anybody really in your system.
32:21
and just make sure you can have it tailored to you.
32:24
And then you want to have ongoing training because things change.
32:28
We’ve done a lot of webinars on fishing because things change very quickly and there are more tools being developed and there are a lot of systems where you can track and report on these things.
32:38
And if it’s part of your overall strategy, you’re going to reduce risk by quite a bit when it comes to training.
32:45
And now we’re going to go backwards for the poll.
32:47
So this is what it says.
32:48
It’s not the poll we’re going to have, but this is the poll we meant to do before.
32:51
But this is gonna be what stage you’re currently in with your cybersecurity planning or procurement.
32:57
So are you just in the beginning to explore cybersecurity needs?
33:01
Are you preparing or drafting an RFP?
33:04
Have you issued one?
33:05
Or are you evaluating vendors right now?
33:08
Maybe you’ve already implemented some solutions and you are not sure where you are in the process.
33:14
Let’s see if I can go back in time here.
33:17
Nope, there we go.
33:31
We’ll give people a few more seconds to respond.
33:37
So far, some people are drafting.
33:39
Looks like some people have already implemented.
33:41
Some are not quite involved.
33:45
We’ll give it like five more seconds here.
33:54
All right.
33:55
So 20% of our audience today is beginning to explore cybersecurity needs.
34:00
20% of them are preparing or drafting an RFP.
34:04
If you’ve issued an RFP recently, we’re at 0% for that one.
34:07
So hopefully that means you’ve already evaluated your vendors.
34:12
And if you aren’t in 20, 40%, they actually already implemented solutions.
34:15
That’s what we want to see. That’s great. Absolutely.
34:18
20% are not currently sure, but 40% saying that they already have implemented stuff is good.
34:22
That’s what we want.
34:23
The more, uh, the more active you are with solutions, the better. All right.
34:27
Now we’ll jump back to where we’re supposed to be, which is evaluating proposals and Sue’s got a lot of experience over here in evaluation. Um, these are the different stakeholders you can have on the staff.
34:37
obviously there’s more and it’s all tailored to your organization, but you definitely want to make sure we talked before about having a diverse set of stakeholders to make sure everyone’s covered.
34:48
Yeah I would agree with that completely.
34:51
I mean you each one of these categories they have different levels of expertise and experience and you don’t want to just have IT or just have supervisors or certainly, you know, purchasing vital important, but the people who are installing the people who are operating on all of that equipment all the time, whether it’s in records, whether it’s on the floor in the center, you want to make sure that you have the expertise of the people who have been manning these systems and working on these systems, they’re going to be the ones who are going to, uh, to know it the best and be able to give the best input to what work, what they believe is going to be best in their new systems.
35:53
100%.
35:53
Yeah.
35:54
And then we’ll come over here to how to evaluate.
35:56
So obviously, there’s different experiences for public safety networks, government networks.
36:02
You got to follow your standards.
36:03
We talked about SLAs, make sure these services are aligned with your goals.
36:07
We’ve talked about that.
36:08
The weighted scoring matrix is something I’d say we were going to come back to and Mira or Sue, whoever wants to jump in first here.
36:14
But the weighted scoring matrix is something very important to this process.
36:19
Yeah, I mean, I just feel like when you start with that matrix is basically your template.
36:30
And so you have a very defined budget, and then you’re going to, you know, categorize or prioritize, I should say probably more than the other elements of the project.
36:45
And that piece of paper there, that helps you keep things organized.
36:55
You know, as you move through this, you will likely need to maybe change something along the way as your project moves along.
37:05
But it’s a good solid project management tool used in all industries.
37:13
You know many industries and and so I think that having that helps keep focus. What do you think 100%?
37:23
Yeah, it also gives the vendors the responders a really firm understanding on what is important What is most important to you?
37:32
If you are looking for some like really cool intense technology and have that really high on your scoring matrix Then then the vendors will know okay I really need to do deep dive here.
37:43
If you’re really, really focused on I cannot spend a penny more or keeping under budget if at all possible, having that as a higher weight would be helpful.
37:55
And then it also just gives you an objective way to weigh everyone kind of apples to apples, right?
38:02
So that just helps you.
38:04
It helps us as vendors too.
38:07
Yes, absolutely.
38:10
Here are some red flags to look for when you’re talking about vendor proposals so you don’t want vague responses.
38:16
Hopefully we’ve given you enough tools today to design your RFP so that you’re not getting any vague responses back, but at least in our network or our industry, we want to make sure that the people you’re working with have experience in the areas you’re talking about, whether it’s 911, public safety, government, alerting is a big thing.
38:37
We talked about no defined SLA and compliance ready without specific compliance as I, that’s a big one right now with all the, all the compliances that Mira mentioned that are changing consistently.
38:52
And in the evaluation process, you know, Mira and Sue have both talked a lot about budgeting, uh, don’t compromise quality for price.
39:01
That is something you both I think hit on quite a bit today.
39:05
Yeah.
39:05
And how it fits in with what you already have will actually give you a really firm starting point, really get a gauge on what tools do I have today?
39:16
Do I have endpoint detection monitoring tool of some sort?
39:21
Do I have sock monitoring?
39:23
Do I have most up-to-date firewalls?
39:26
Because that may be where you need to start is you haven’t touched your firewalls in 15 years or longer.
39:32
And that’s really where baseline you just start and go from there.
39:36
But especially if you’re going to be working with a SIM provider who needs to integrate into potentially pre-existing things you have, ensuring you have all of those things listed within your scope of work would really is very, very helpful because then you can check the box of, okay, yes, they integrate in with what I have today.
39:59
Yes, they can set up API systems and link into things that we already have.
40:04
And as I said, it’ll give you a good feel for where to start as well.
40:14
And this is an executive summary sample.
40:17
I don’t think we have to take it one for one here, but scope, timeline, proposed solutions, deliverables, budget and evaluations.
40:24
Sue, anything to pick out here specifically in the executive summary people wanna pay attention to or just an overall guide here to using this?
40:33
I mean, I think of it as an overall guide, but I would, each agency could be a little bit different, but I think that you want to put them in an order of what’s your priority to, you know, the highest priority to the least priority and then work from there. Yeah, one note on budget too.
41:01
Your budget’s going to drive it the way.
41:04
For sure and if you um if you’re looking for uh kind of consultancy um work then doing kind of getting hourly rates from people is a great idea.
41:16
Otherwise if you’re looking for services don’t do hourly rates unless you’re looking for um like support and install assistance if that’s not already included with their service um or is is needed above and beyond um try to do fixed costs, if at all possible.
41:35
And this also goes back to like why scope is so important too, right?
41:41
Ensuring that you have a really firm understanding of what your budget allows for scope and preventing any scope creep.
41:51
Because as you get more stakeholders into the conversation, which is extremely important, everyone has a laundry list of, you know, wish list of things they want slash things they potentially need and just making sure that it’s really really dedicated to this is this this is the purpose of this RFP is I am getting annual assessments for X number of years or I am getting um you know a kind of assistance with where we are today and how where we need to move forward to tomorrow that is where you need to focus them and not let it kind of move out from that.
42:30
All right, appreciate you all tuning in we got we do have a Q &A section here real quick So if you have any questions that have come to mind throughout the webinar, you definitely can take the time to answer ask them now I do have a couple we’ll go through here real quickly throughout the webinar.
42:44
So our first question Mira and Sue What are the biggest red flags you have seen in RFPs?
42:53
for me Super short timelines and vague requirements Ensuring that when you are putting forth an RFP that there is enough time for you guys to evaluate for you to get really solid responses back from your RFP is super, super important.
43:17
And obviously we’ve talked as ad nauseam about vague requirements, ensuring you’re asking for exactly what you need within that budget.
43:30
And in addition to what Meera has just said, I would say that making sure that you have the right stakeholders looking at the right pieces of, I mean, if you look at an RFP, they can be overwhelming, But you need to have the person that has the most expertise, which is not always management.
43:59
It may be somebody who is a trainer.
44:02
It may be somebody who works the floor.
44:08
They’re answering the calls, using that equipment every day.
44:11
So, make sure that you have the right person doing the evaluation, not just the management.
44:21
And our next question, one of our attendees wants to know what is included, what’s expected in a full scope?
44:29
So this includes everything from number of assets, endpoints, segments that you want included, dependent on what you’re looking for.
44:40
So it would be specific to this RFP scope, obviously.
44:44
This would also include what types of solutions you already have in place.
44:48
So vendors, endpoint solutions, if you’ve got a SIEM, all of that information, most recent network map.
44:58
And I would also generally recommend, if you can, to require responders, us vendors, to sign an NDA before that information is disclosed.
45:09
I wouldn’t necessarily just include it blatantly.
45:12
You can include some of that information.
45:14
But as soon as you get the types of vendors that you use today, if you’ve got a particular firewall vendor, and in my brain as if you were to be a hacker looking into information, you don’t want that information out there necessarily easily obtainable.
45:32
If I know that you’re using a Fortinet firewall, and I, okay, that’s now shortened my list down and I’ve got a whole list of CVEs that are, you know, associated with this specific firewall you’ve already listed that I can just, you know.
45:48
So, hide it behind an NDA if all possible, rather than just including it explicitly.
45:55
But yes, number of assets, endpoints, if it’s, if you have any cloud infrastructure, if that’s included within this scope, if it’s not, please leave it out.
46:04
Network maps are super, super helpful typically to get an understanding of back to the network connectivity.
46:13
How are we connected to each other?
46:15
It also helps the vendors understand what segmentation you may already have in place and give a much better understanding.
46:22
You’ll just get a better response out of your vendors, to be honest, and you won’t have a surprise.
46:27
I thought it was this when I responded with this price.
46:32
It’s actually this over here instead, if you don’t want that.
46:38
All right, any more questions?
46:40
Those are the two we’ve got right now.
46:43
Inside of GoTo here, if you’re still on, there is a material you can download, the RFP Planning Worksheet.
46:49
It will also be coming to your email in the follow-up as well for this recording.
46:54
Next webinar, TBA, I know we’ve got to talk about CGIS here soon, so that’s coming up when we get to that.
47:01
CJIS 6.0 that is all being wrapped up right now in terms of our information and what we can give to you So we’ll have a webinar on that in the future And I know we’ve also got some critical tools that are in beta that I know mira has been working on very diligently We will be discussing those Uh sometime later this year as well So we don’t have an exact webinar for our next time out but be on the lookout for those two topics Especially they will be coming soon Uh, and you’ll get more guidance on those. All right.
47:27
Thank you all for Thank you for attending today, and thank you to Mira and Sue for all of your insights.
47:31
And we will catch you next time, be on the lookout for invites to our upcoming webinar and all of our materials.
47:38
Thank you, guys.
47:39
Thank you.
Download the Free Cyber RFP Worksheet
Cybersecurity for Critical Infrastructure
SecuLore provides Managed Detection and Response (MDR) to protect our nation’s critical infrastructure from cyber threats. Our expertise is built on deep knowledge of 9-1-1 technology, cyberwarfare, and ethical hacking, ensuring the highest level of cybersecurity for public safety agencies.
24/7 Vulnerability & Threat Monitoring
Automated & AI Threat Detection
Specialized Threat Intelligence
Proactive Threat Hunting
Incident Response & Remediation
Forensics & Root Cause Analysis
