0 WASHINGTON TOWNSHIP 2026 Municipal Cybersecurity Assessment Services Bid Number: RFP-2026-03 REQUEST FOR PROPOSALS ISSUED BY: Audrey Brown Email: browna@washingtontwpmi.org Submit Bids to: Charter Township of Washington Audrey Brown, Clerk 57900 Van Dyke Rd., Washington Twp., MI 48094 (586) 786-0010 Proposal Due: July 29, 2026 1 NOTICE OFFER TO RECEIVE BID FOR THE CHARTER TOWNSHIP OF WASHINGTON 2026 Municipal Cybersecurity Assessment Services BID NO. RFP-2026-03 OVERVIEW The Charter Township of Washington Clerk’s Office is soliciting a Request for Proposal (RFP) from Qualified Municipal Cybersecurity Assessment firms to conduct a discrete, one-time comprehensive cybersecurity assessment engagement of the Municipality's information technology environment. This RFP is for a cybersecurity assessment engagement only — not for ongoing managed IT services. The selected vendor will deliver defined assessment deliverables within a defined project period, then conclude the engagement. The Township seeks an objective third-party evaluation of its cybersecurity posture. 1. SUBMISSION AND RECEIPT OF BIDS Sealed bids will be received by the Charter Township of Washington at the office of the Township Clerk, 57900 Van Dyke Rd., Washington Twp., Michigan, 48094 until 10:00 a.m. local time July 29, 2026. The bids will be publicly opened and read aloud immediately following the 10:00 a.m. deadline. Bids to receive consideration shall be received prior to the specified deadline time. NO LATE BIDS WILL BE ACCEPTED. Bids are considered received when in the possession of the Washington Township Clerk’s Office. All bids must be labeled RFP- 2026-03 Municipal Cybersecurity Assessment Services Bids must be sealed when submitted. Bids must be typewritten or printed in ink and legibly prepared. Bids having erasures or corrections thereon may be rejected unless explained or initialed by bidder. Bids must be received at the Township Clerk’s Office by the stated deadline. a. ADDITIONAL BID INFORMATION Unless otherwise specified, the Township reserves the right to accept any item in the bids. Bidders may submit on any item or group of items, provided however, that the unit prices are shown as required. It is the vendor’s responsibility to acquire knowledge of any change, modifications or additions to the bid documents. Any vendor who submits a bid and later claims it had no knowledge of any change, modifications or additions made by the Charter Township of Washington to the bid specifications, shall be bound by the bid, including any changes, modifications or additions made by the Charter Township of Washington to the bid specifications, and that vendor fails to accept the bid award, the Charter Township of Washington may pursue costs and expenses to re- bid the item from that vendor. The Charter Township of Washington officially distributes bid documents through the BidNet website. Only those vendors who obtain bid documents through the BidNet website are guaranteed access to receive addendum information. 2 b. ALTERNATE BIDS Bidders are cautioned that any alternate bid, unless requested by the Township, or any changes, insertions, or omissions to the terms and conditions, specifications, or any other requirements of this bid, may be considered non-responsive and in the opinion of the Township, may result in rejection of the bid. c. QUANTITIES All quantities stated, unless indicated otherwise, are estimates and the Township reserves the right to increase or decrease the quantity at the unit price bid as best fits it need. d. TAXES, TERMS AND CONDITIONS The Charter Township of Washington is exempt from Federal Excise, State Sales Tax and Personal Property Tax. e. AWARD The bid will be awarded to the responsible, responsive bidder whose bid, conforming to this solicitation, will be most advantageous to the Township, with price and other factors considered. The Charter Township of Washington reserves the right to accept any bid, to reject any or all bids, or waive irregularities in any bid in the best interest of the Township. Township reserves the right to perform a site visit at the bidder’s place of business. Bidders may submit bids on any item or groups of items provided unit prices are clearly shown and a notation is made on the bid document clearly indicating bidder’s intent. 2. CONTRACT & CHANGE ORDERS a. Firm Prices - Once the Contract is awarded, the prices offered by the successful bidder shall remain firm for the duration of the contract. No different or additional items will become part of this contract with the exception of a change order. No oral statement of any person shall modify or otherwise change, or affect the terms, conditions or specifications stated in the resulting contract. All change orders to the contract will be in writing and at the discretion and approval of the Township. No change order will be binding unless signed by an authorized representative of the Township and Proposer. b. Formal Change Management Process- Vendor shall implement a documented change management process. All changes to Township systems, configurations, or services shall be classified as: (a) Emergency Change — immediate action for active incidents; notify Township within one (1) hour, document within twenty-four (24) hours; (b) Standard Change — routine pre-approved low-risk changes; (c) Normal Change — all other changes requiring a written Change Request submitted to the Township's designated contact at least forty-eight (48) hours in advance, including scope, impact assessment, implementation window, and rollback plan. No Normal Change may be implemented without written Township approval. Vendor shall maintain a change log reviewed in monthly reporting. c. Implementation Plan —The successful vendor must prepare and submit a final implementation plan and timeline within fourteen (14) days of contract execution. NOTE: The Township expects the full assessment engagement to be completed within 8 weeks of the project kickoff meeting. Vendors must specify their proposed 3 project duration in Section 7.5 of their proposal. The plan shall include: (a) a detailed project schedule with named milestones and completion dates; (b) identification of all Township staff dependencies and required Township actions; (c) a communication plan including cadence and format of status updates; (d) a risk register identifying top transition risks and mitigation strategies; (e) a parallel-operations or cutover plan ensuring zero interruption to Township business; and (f) documented acceptance criteria for each major milestone. The Township reserves the right to withhold payment for any milestone until written acceptance is provided. d. CONTRACT TERMINATION The Township reserves the right, upon ninety (90) days written notice, to terminate this contract for failure of vendor to comply with terms and conditions set forth herein. Nonperformance on the part of the vendor shall constitute breach of contract and shall nullify any and all contractual obligations between the seller and the purchaser. e. WITHDRAWALS OF BIDS Bids may be withdrawn before the due date in person by a bidder, or authorized representative, provided their identity is made known and a receipt is signed for the bid, but only if the withdrawal is made prior to the stated bid deadline. In case of error by the bidder in making up a bid, the Township may, by discretion, reject such a bid upon presentation of a letter by the bidder which sets forth the error, the cause thereof and sufficient evidence to substantiate the claim. Upon expiration of the due date, proposer acknowledges and agrees that such bid may not be withdrawn or cancelled by the proposer for a period of ninety (90) days following the due date. In the event that proposers bid is accepted by the township within such ninety (90) day period, the proposer shall be required to perform in accordance with the terms and conditions contained herein. If no contract has been executed by the Township within ninety (90) days following the due date, any proposer may withdraw the bid and deposit. By mutual consent between the township and the proposers, this time period may be extended. f. DEFAULT CONDITIONS In case of default by the contractor, the Charter Township of Washington may procure the articles or services from other sources and hold the bidder responsible for any excess cost occasioned thereby. In case of error by the bidder relating to a Contract, the Township may, by discretion upon presentation of a written explanation by the bidder substantiating the error, reject the Contract and award to the next qualified bidder. Such error may be subject to default conditions. g. INFRINGEMENTS AND INDEMNIFICATIONS The bidder, if awarded a contract, agrees to protect, defend and save the Township and herein, its officials, employees, departments, and agents, harmless against; any demand for payment for the use of any patented material, process, or device that may enter into the manufacture, construction, or from a part of the work covered by either order or contract; and from suits or a charge of every nature and description brought against it for, or on account of, any injuries or damages received or sustained by the parties by or from any of the facts of the contractor, the 4 contractor’s employees, or agents; from all liability claims, demands, judgments and expenses to persons or property occasioned, wholly, or in part, by the acts or omissions of the bidder, contractor, agents or employee. h. INVOICING The Contractor must submit numbered invoices on a monthly basis specifying: Property Location, Department, Date of Service, Total Dollar Amount of each service provided, and Purchase Order # (when applicable). Invoices shall not be sent until all work is completed; Partial invoices will not be accepted. All invoices shall be sent to: accountspayable@washingtontwpmi.org Washington Township Attn: Accounts Payable 57900 Van Dyke Rd. Washington Twp., MI 48094 i. INSURANCE (REQUIRED FOR WORK ON OR WITHIN TOWNSHIP PROPERTY/FACILITIES) The proper, if awarded a contract, shall maintain insurance coverage for the duration of the contract. A Certificate of Insurance indicating carrier, limits, exemptions and the following wording included under the Description of Operations/Locations/Vehicles, must state “It is understood an agreed that the following shall be Additional Insureds: The Township of Washington, including all elected and appointed officials, all employees and volunteers, all boards, commissions and/or authorities and their board members, employees and volunteers” must be submitted to Washington Township within the sealed bid. The proper furnishing labor on the township/public premises does agree to have his workers covered by Worker’s Compensation and furnish a Certificate of Insurance showing coverage for bodily injury and property damage and Worker’s Compensation. A. Cyber Liability Insurance Requirement: The awarded vendor shall maintain Cyber Liability Insurance with minimum limits of $2,000,000 per occurrence / $4,000,000 aggregate covering data breach, cyber extortion, network security liability, and first-party breach response costs. The Township of Washington shall be named as an Additional Insured. Certificate of Insurance evidencing this coverage shall be provided with the sealed bid. NOTICE TO PROPOSERS 1. Request for Proposals The Charter Township of Washington is soliciting sealed proposals from qualified firms to provide comprehensive cybersecurity assessment services for the Municipality’s information technology environment. The purpose of this assessment is to evaluate the Municipality’s cybersecurity posture, identify vulnerabilities and risks, assess compliance with applicable standards and best practices, and provide actionable recommendations to improve cybersecurity resilience. The Municipality reserves the right to reject any or all proposals, waive irregularities, and accept the proposal deemed to be in the best interest of the Municipality. 5 Introduction and Background Municipality Overview The Charter Township of Washington is seeking a qualified cybersecurity consulting firm to conduct a comprehensive cybersecurity assessment of the Municipality’s technology environment, systems, policies, and operational practices. The Municipality operates a variety of systems supporting municipal operations, including but not limited to: • Administrative systems • Public safety systems • Utility systems • Financial and payroll systems • Public-facing web applications • Email and collaboration platforms • Network infrastructure • Cloud-based applications and services 2. Purpose of the Assessment The selected vendor will perform a comprehensive assessment designed to: • Identify cybersecurity vulnerabilities and risks • Evaluate the effectiveness of current cybersecurity controls • Assess compliance with cybersecurity best practices and applicable standards • Evaluate governance, policies, and procedures • Review incident response readiness • Provide prioritized recommendations for remediation and improvement 3. Project Objectives The Municipality intends for this project to accomplish the following objectives: 1. Establish a current-state cybersecurity baseline. 2. Identify technical and administrative vulnerabilities. 3. Assess cybersecurity governance and organizational readiness. 4. Evaluate compliance with industry-recognized frameworks. 5. Assess resilience against cyber threats and ransomware. 6. Provide actionable and prioritized remediation recommendations. 7. Support future cybersecurity planning and budgeting. 8. Improve operational and data security practices. 4. Scope of Services The selected vendor shall provide a comprehensive cybersecurity assessment that includes, at a minimum, the following services. 6 a. Project Planning and Kickoff The vendor shall: • Conduct a project kickoff meeting • Coordinate with Municipality staff • Develop a project plan and schedule • Identify information and access requirements • Establish communication protocols b. Cybersecurity Program Review Review and assessment: • Cybersecurity governance structure • Information security policies and procedures • Security awareness and training programs • User access management practices • Third-party/vendor management practices • Incident response procedures • Disaster recovery and business continuity planning • Data classification and retention practices • Change management processes c. Technical Security Assessment Conduct technical assessments of the Municipality’s environment, including: Network Security • Firewall configurations • Network segmentation • Wireless security • Remote access controls • VPN security • Intrusion detection/prevention systems Endpoint Security • Antivirus/endpoint protection • Patch management • Endpoint detection and response (EDR) • Device management • Workstation security configurations Server and Infrastructure Security • Server hardening • Active Directory review • Privileged account management • Backup systems and configurations 7 • Virtualization infrastructure Cloud and SaaS Security • Microsoft 365 or Google Workspace security • Cloud access controls • Multi-factor authentication (MFA) • Conditional access policies • Cloud application security settings d. Vulnerability Assessment The vendor shall: • Conduct authenticated and/or unauthenticated vulnerability scans • Identify critical, high, medium, and low-risk vulnerabilities • Validate findings where appropriate • Provide remediation recommendations e. Phishing and Security Awareness Assessment • Conduct simulated phishing campaigns • Evaluate employee susceptibility to phishing attacks • Provide user awareness metrics • Deliver recommendations for training improvements f. Penetration Testing • External penetration testing • Internal penetration testing • Web application testing • Wireless security testing Include in base scope: • External penetration testing — This is non-negotiable for any public entity. It tests what attackers on the internet can reach, and the results directly inform your remediation roadmap. Without it, the assessment is incomplete. • Web application testing — You have public-facing web applications listed in your scope. Since those are internet-exposed and handle public interaction, they belong in the base assessment alongside external pen testing. The following penetration testing services are included in the base assessment scope and shall be priced accordingly on Appendix C: (1) External Network Penetration Testing, (2) Web Application Penetration Testing. The following are available as separately priced optional add-ons: (3) Internal Network Penetration Testing, (4) Wireless Network Penetration Testing, (5) OT/SCADA System Assessment. Vendors shall provide pricing for all five testing types on Appendix C, clearly distinguishing base scope items from optional add-ons. NOTE: Vendors who do not provide pricing for the base scope testing types (External and Web Application) will be considered non-responsive. 8 4.6 Compliance and Framework Alignment Assess alignment with applicable standards and best practices, which may include: • NIST Cybersecurity Framework (CSF) • CIS Critical Security Controls • CJIS requirements (if applicable) • HIPAA considerations (if applicable) • PCI-DSS considerations (if applicable) • State and local cybersecurity requirements g. Risk Assessment The vendor shall: • Identify cybersecurity risks • Assess likelihood and impact • Provide a risk ranking methodology • Develop a risk register • Identify operational and business impacts h. Final Reporting and Presentation The vendor shall provide: • Executive summary report • Detailed technical findings report • Risk register • Prioritized remediation roadmap • Presentation to IT Committee Suggested Minimum Technical Requirements The Municipality recommends that vendors include assessment methodologies aligned to: • NIST Cybersecurity Framework (CSF) 2.0 • CIS Controls Version 8 • OWASP testing methodologies • Industry-standard vulnerability scanning tools • Secure reporting and evidence handling practices 5. Deliverables At a minimum, the selected vendor shall provide the following deliverables: Deliverable Description Project Plan Detailed implementation timeline and milestones 9 Deliverable Description Status Updates Regular project status meetings and updates Vulnerability Assessment Results Technical findings and remediation guidance Risk Assessment Risk rankings and analysis Executive Summary High-level summary for leadership Detailed Technical Report Comprehensive technical assessment Remediation Roadmap Prioritized action plan Final Presentation Presentation of findings and recommendations All reports shall be provided electronically in PDF format and editable format where applicable. 6. Vendor Qualifications Vendors responding to this RFP should demonstrate the following qualifications: a. Required Qualifications • Minimum of five (5) years providing cybersecurity consulting services • Experience conducting cybersecurity assessments for municipalities or public- sector organizations • Experience with Google platform, Microsoft 365 and hybrid/cloud environments • Experience with vulnerability assessments and cybersecurity risk analysis • Ability to provide qualified cybersecurity professionals b. Preferred Certifications The Municipality prefers vendors with staff holding certifications such as: • CISSP • CISM • CEH • GIAC certifications • Security+ • Certified Ethical Hacker • ISO 27001 Lead Auditor c. References Vendors shall provide at least three (3) references for similar projects completed within the last five (5) years. Include: • Organization name • Contact name and title • Phone number 10 • Email address • Description of services provided 7. Proposal Requirements Proposals shall include the following sections. 7.1 Cover Letter Include: • Company name and address • Primary contact information • Authorized representative signature • Statement of understanding of the project 7.2 Company Profile Provide: • Company background • Organizational structure • Years in business • Public-sector experience • Relevant certifications and partnerships 7.3 Technical Approach Describe: • Understanding of project objectives • Proposed methodology • Assessment tools and techniques • Project management approach • Communication plan • Reporting approach 7.4 Project Team Include: • Key personnel • Roles and responsibilities • Relevant qualifications and certifications • Resumes or biographies 7.5 Project Schedule Provide an estimated timeline including: • Kickoff meeting • Assessment activities 11 • Interim reporting • Draft report delivery • Final report delivery The total engagement duration shall not exceed eight (8) weeks from the project kickoff meeting to delivery of the final assessment report and executive presentation. Vendors shall propose their specific timeline within this window. For reference, the Township's environment includes approximately 70 users, 10 servers, and 5 locations. Vendors proposing optional OT/SCADA testing may request up to two (2) additional weeks for that component, subject to Township approval. 7.6 References Provide references as described in Section 6. 7.7 Cost Proposal Provide detailed pricing including: • Fixed-fee pricing • Hourly rates (if applicable) • Optional services pricing • Travel costs • Any additional fees REQUIRED: For each line item in Appendix C, vendors must also provide the underlying labor assumptions: number of hours estimated, role/title of personnel performing the work, and applicable hourly rate. This allows the Township to evaluate whether proposed pricing is realistic and to compare proposals on an equivalent basis. Proposals providing only lump-sum totals without labor detail may be considered non- responsive. 8. Evaluation Criteria Proposals will be evaluated using the following criteria: Criteria Weight Vendor Experience and Qualifications 20% Technical Approach and Methodology 35% Project Team Qualifications 10% Cost Proposal 25% References 10% 9. Project Timeline The anticipated schedule for this RFP is as follows: 12 Milestone Date RFP Issued July 1, 2026 Questions Due July 17, 2026 Proposal Due Date July 29, 2026 Anticipated Approval Date Board of Trustees Meeting – August 19, 2026 Project Kickoff Within 30 days from date of approval The Municipality reserves the right to modify the schedule. 10. Terms and Conditions Right to Reject The Municipality reserves the right to: • Reject any or all proposals • Waive informalities or irregularities • Request clarification from proposers • Negotiate modifications to proposals • Cancel the RFP at any time Costs of Proposal Preparation All costs incurred in the preparation of proposals shall be the responsibility of the proposer. Ownership of Documents All proposals submitted become the property of the Municipality. Compliance with Laws The selected vendor shall comply with all applicable federal, state, and local laws. Conflict of Interest Vendors shall disclose any actual or potential conflicts of interest. 11. Vendor Confidentiality Obligations The selected vendor acknowledges that in the course of performing cybersecurity assessment services, it will have access to sensitive information about the Municipality's systems, vulnerabilities, and security controls. The vendor agrees to treat all such information as confidential, to limit access to authorized personnel only, and to execute a non-disclosure agreement as a condition of contract award. Assessment findings, vulnerability details, and technical reports shall not be disclosed to any third party without prior written authorization from the Township. 13 12. Confidentiality and Data Protection The selected vendor shall: • Maintain confidentiality of all municipal information • Execute a confidentiality or non-disclosure agreement if required • Protect sensitive and confidential data • Restrict access to authorized personnel only • Notify the Municipality of any security incidents • Return or securely destroy municipal data upon project completion 13. Pricing Proposal Form (Appendix C :Cost of Services) Pricing Summary Service Cost Cybersecurity Program Review $__________ Vulnerability Assessment $__________ Risk Assessment $__________ Executive Reporting $__________ Final Presentation $__________ External Penetration Testing $__________ Web Application Penetration Testing $__________ Optional: Internal Penetration Testing $__________ Optional: Wireless Security Penetration Testing $__________ Optional: Phishing Assessment $__________ Travel Expenses $__________ Other Costs $__________ OT/SCADA Security Assessment (if applicable) $____________ Total Proposed Cost $__________ [REQUIRED: For each line item above, attach a supporting labor schedule showing: estimated hours per line item, role/title of personnel, and hourly rate. See Section 7.7 for requirements.] Additional Pricing Information Provide any assumptions, exclusions, or optional pricing details: 14. Sample Agreement Terms The selected vendor will be required to enter into a professional services agreement with the Municipality. The agreement may include provisions related to: • Scope of services • Compensation 14 • Insurance requirements • Confidentiality • Data ownership • Indemnification • Limitation of liability • Termination rights • Compliance with laws • Record retention • Background checks (if applicable) The Municipality reserves the right to negotiate final contract terms. 15. Appendices 1. Appendix A – IT Environment Inventory Summary 2. Appendix B – Appendix B – Vendor Questionnaire 3. Appendix C – Cost of Services (See Section 13) 4. Appendix D – Implementation Plan 5. Appendix E - Professional Reference Information 6. Appendix F - Signature Page 7. Appendix G – Non-Collusion Affidavit 8. Appendix H - Conflict of Interest 9. Appendix I – Non-Iran Linked Businesses 10. Appendix J – Compliance/Disclosure/Indemnifications 11. Appendix K – RFP Submittal Checklist The Municipality may request optional assessments including: • Social engineering testing • Wireless assessments • Physical security assessments • OT/SCADA assessments • Dark web monitoring review • Incident response tabletop exercises • Security awareness training 15 Appendix A – IT Environment Inventory Summary RFP-2026-03 – Security Assessment Services Current IT Environment Locations: Township Hall – 57900 Van Dyke Rd. Fire Station 1 – 11300 27 Mile Rd. Fire Station 2 – 11285 30 Mile Rd. Fire Station 3 – 61111 Mound Rd. DPW Building – 11233 30 Mile Rd. Wastewater Treatment Plant – 65999 Powell Rd. This appendix provides a consolidated inventory summary of the systems, users, domains, software, and licenses identified. 1. Overall Inventory Totals Inventory Category Total Domains 1 Users 70 Servers 10 Endpoints / Workstations 70 Unique Software Titles 995 Total Software Installations 5172 2. Domain Inventory Domain Name Records Count washingtontownshipmi.onmicrosoft.com 1 3. License Totals License Type Assigned Total OFFICE 365 E 3 NO TEAMS 38 WINDOWS STORE FOR BUSINESS 2000000 4. User Accounts Total user accounts identified: 70 5. Server Inventory Summary Operating System Model Total Microsoft Windows Server 2012 R2 Standard PowerEdge T420 1- END OF LIFE — October 2023. No longer receives security patches. Bidders should address this system specifically in their technical approach. 16 Microsoft Windows Server 2019 Standard PowerEdge R440 1 Microsoft Windows Server 2019 Standard PowerEdge T640 1 Microsoft Windows Server 2019 Standard Virtual Machine 2 Microsoft Windows Server 2022 Standard PowerEdge T550 1 Microsoft Windows Server 2022 Standard Virtual Machine 4 6. Endpoint / Workstation Summary Manufacturer Model Total Dell Inc. Latitude 5510 16 LENOVO 21JN0040US 11 LENOVO 12U3000UUS 10 Dell Inc. Latitude 3520 8 Dell Inc. OptiPlex 3080 5 Dell Inc. OptiPlex 3000 4 Microsoft Corporation Surface Book 3 2 Dell Inc. OptiPlex SFF Plus 7020 2 Dell Inc. Precision 3551 1 Dell Inc. Precision 3640 Tower 1 Dell Inc. Latitude 5430 Rugged 1 Dell Inc. Precision 7780 1 HP HP All-in-One 22-dd0xxx 1 HP HP ENVY Laptop 17-ch2xxx 1 HP HP ENVY Laptop 17-cr0xxx 1 LENOVO 12XF000WUS 1 LENOVO 21JK0052US 1 Dell Inc. Latitude 5520 1 Dell Inc. Precision 5690 1 7. Software Inventory Summary [NOTE: The full software inventory has been abbreviated in this appendix due to length — 995 unique titles, 5,172 total installations. The complete inventory will be made available to shortlisted vendors upon request or at the pre-proposal meeting. Key items of note for scope assessment are highlighted below.] SOFTWARE GOVERNANCE NOTE: Multiple versions of the same applications are present across endpoints, including OpenVPN (versions 2.4.7, 2.5.6, 2.5.7, 2.5.8, 2.6.8, 2.6.13, 2.6.14), FileZilla (versions 3.52.2, 3.64.0, 3.66.4, 3.69.1, 3.69.5, 3.69.6), 7-Zip (versions 24.09, 25.01, 26.00), and PuTTY (versions 0.74, 0.78, 0.79, 0.81, 0.83). This indicates software governance gaps that should be included in the scope of the cybersecurity program review and endpoint security assessment. OT/SCADA NOTE: The following OT/SCADA-related software was identified in the environment: WIN-911 InTouch, WIN-911 and associated components, Wonderware 17 System Platform, Wonderware Application Server, and Wonderware InTouch. Bidders should confirm in their proposal whether OT/SCADA security assessment is included in their base scope or priced as a separate optional service and should identify any OT- specific certifications or experience held by proposed personnel. 18 Appendix B – Vendor Questionnaire RFP-2026-03 – Security Assessment Services Required Cybersecurity and Compliance Questions (answers may be attached and must be labeled “Appendix B – Vendor Questionnaire): 1. Describe your firm’s process for responding to ransomware and cybersecurity incidents. How do you communicate with municipal clients during an active incident, and what is your typical response timeline for similarly sized municipal clients? 2. List the cybersecurity frameworks (e.g., NIST CSF 2.0, CIS Controls v8) your firm uses. Provide documentation of your most recent third-party security assessment or SOC 2 audit. 3. Have you or any of your subcontractors experienced a data breach, ransomware attack, or security incident in the past five (5) years that affected client data? If yes, describe the incident and remediation steps taken. 4. Provide a complete list of all third-party software applications used in the delivery of assessment services that will access Township data. For each, identify the application name, function, and whether Township data leaves the continental United States. Key Personnel Continuity 5. Identify the specific individuals who will lead and perform the assessment work. For each named individual, describe their role, certifications, and relevant municipal assessment experience. If a named key personnel member becomes unavailable before or during the assessment engagement, describe your firm's process for substitution and how the Township would be notified and involved in approving a replacement. Qualifications and Experience 6. Provide background/history of your company, including year the firm was established, number of employees, etc. 7. Have you ever failed to complete any work awarded to you? If so, please explain. 8. Please attach additional information relative to the firm's ability to carry out the terms of this contract, including: total number of full-time and part-time employees; employee turnover for the last 3 years; identification of those in your firm responsible for this project, including on-site supervision and their credentials. Service 9. Explain how the company ensures quality of assessment deliverables; the average number of assessors assigned to a project of this scope; and how the geographic location 19 of your firm affects response times if Township staff have questions during the engagement. 10. Vendor shall provide a complete list of all subcontractors, third-party software platforms, and other resources that will have access to Township systems or data during the assessment. For each, provide: company name, nature of services, data access scope, country of operations, and applicable security certifications (SOC 2, ISO 27001, FedRAMP, etc.). Vendor shall notify the Township in writing within ten (10) business days of any addition, substitution, or termination of a subcontractor. Vendor remains solely responsible for the acts, omissions, and security posture of all subcontractors. 20 Appendix C – Cost of Services RFP-2026-03– Cybersecurity Assessment Services Service Cost Cybersecurity Program Review $__________ Vulnerability Assessment $__________ Risk Assessment $__________ Executive Reporting $__________ Final Presentation $__________ External Penetration Testing $__________ Web Application Penetration Testing $__________ Optional: Internal Penetration Testing $__________ Optional: Wireless Security Penetration Testing $__________ Optional Phishing Assessment $__________ Travel Expenses $__________ Optional: OT/SCADA Security Assessment (see Appendix A) $__________ Other Costs $__________ Total Proposed Cost $__________ [REQUIRED: Complete the labor detail schedule below for each line item above. Proposals that do not include labor detail will be considered non-responsive.] Service Line Item Estimated Hours Role / Title Hourly Rate Extended Cost Cybersecurity Program Review Vulnerability Assessment Risk Assessment Executive Reporting Final Presentation [Add rows as needed] Additional Pricing Information Provide any assumptions, exclusions, or optional pricing details below: 21 Appendix D – Implementation Plan ***Insert Implementation Plan Here*** Vendors must complete and include the following in Appendix D: • A project schedule showing all assessment phases and activities from kickoff through final report delivery, with specific calendar dates or a day-count timeline from kickoff • Identification of Township staff time required and dependencies — including estimated hours of Township staff time needed per phase • Communication plan — frequency and format of status updates to Township staff • A description of how the vendor will minimize disruption to Township operations during technical assessment activities (vulnerability scanning, penetration testing, etc.) • Acceptance criteria — how each deliverable will be reviewed and accepted by the Township • Total proposed engagement duration from kickoff to final report delivery 22 Appendix E - Professional Reference Information RFP-2026-03– Security Assessment Services Bidder Name: ___________________________________ PROFESSIONAL REFERENCES: List a minimum of three (3) and up to five (5) municipal government clients of comparable size (population 10,000–100,000 or 40–200 employees) where cybersecurity assessment or managed IT services were provided within the past four (4) years. References from commercial clients are acceptable only as supplemental to the required municipal references. Reference 1 COMPANY NAME: ____________________________________________________________ Organization type (municipality/township/county/other): ________________________________ Population served or employee count: ________________________________ Contact Person: _____________________ Title: _________________ Phone: ____________ E-Mail: _________________________________________________________________ Address: ______________________________________ State: _______ Zip: _____________ Contract value and duration: _____________________________________________________ Services provided: ____________________________________________________________ Date(s) of Service(s): __________________________________________________________ Description of any significant cybersecurity incidents during the contract and how they were handled: ____________________________________________________________________ Reference 2 COMPANY NAME: ____________________________________________________________ Organization type (municipality/township/county/other): ________________________________ Population served or employee count: ________________________________ Contact Person: _____________________ Title: _________________ Phone: ____________ E-Mail: ______________________________________________________________________ Address: _________________________________________ State: _______ Zip: __________ Contract value and duration: _____________________________________________________ Services provided: _____________________________________________________________ Date(s) of Service(s): ___________________________________________________________ Description of any significant cybersecurity incidents during the contract and how they were handled: _____________________________________________________________________ Reference 3 COMPANY NAME: ____________________________________________________________ Organization type (municipality/township/county/other): ________________________________ Population served or employee count: ________________________________ Contact Person: _____________________ Title: __________________ Phone: ___________ E-Mail: ______________________________________________________________________ Address: ________________________________________ State: _______ Zip: ___________ Contract value and duration: _____________________________________________________ Services provided: _____________________________________________________________ Date(s) of Service(s): ___________________________________________________________ Description of any significant cybersecurity incidents during the contract and how they were handled: _____________________________________________________________________ 23 Financial Qualifications Financial Qualifications: Vendor shall demonstrate financial stability sufficient to perform the contract for its full term. Provide the following: (a) most recent two (2) years of audited financial statements or, for privately held firms, a letter of financial health from a licensed CPA; (b) a statement of bonding capacity; (c) disclosure of any pending or active litigation, regulatory investigations, or judgments exceeding $50,000; (d) disclosure of any bankruptcy filings within the past seven (7) years; and (e) bank reference information as follows: a. Bank name: _________________________________________________ b. Contact Person: _____________________________________________ c. Contact Person Title: __________________________________________ d. Contact Person Phone number: _________________________________ e. Contact Person Email: ________________________________________ f. Bank address. _______________________________________________ 24 Appendix F - Signature Page RFP-2026-03– Security Assessment Services The undersigned represents that he or she: • is duly authorized to make binding offers on behalf of the company, • has read and understands all information, terms, and conditions in the RFP, • certifies that the proposal documents contained herein were obtained directly from the MITN website, www.mitn.info, and is an official copy of the Authorized Version, • has not engaged in any collusive actions with any other potential proposers for this RFP, • hereby offers to enter into a binding contract with Washington Township for the products and services herein offered, if selected by Washington Township within 30 days from proposal award certifies that it, its principals, and its key employees are not 'Iran linked businesses,' as that term is described in the Iran Economic Sanctions Act, P.A. 2012, No. 517, codified as MCL 129.311, et seq., • acknowledges the following addenda _________________ issued as part of the RFP. • The vendor shall not disclose assessment findings without written authorization from the Municipality. Exceptions to Solicitation and/or Standard Contract: NO______ YES_____ (include attached statement) Name (clearly printed or typed): _____________________________________________ Signature of Authorized Representative: _______________________________________ Title: ___________________________________________________________________ Company: ______________________________________________________________ Federal Employee Identification Number (FEIN) Tax ID: __________________________ DUNS Number: __________________________________________________________ Payment Terms: ________________________ Warranty: ________________________ Date: _______________ Contact Person for matters regarding this RFP: CONTACT NAME: _______________________ POSITION: _______________________ E-MAIL: ________________________________________________________________ ADDRESS/CITY/STATE/ZIP: _______________________________________________ PHONE: ________________________________________ FAX: __________________ 25 Appendix G – Non-Collusion Affidavit Vendor: _____________________________________________________________________________ (1) Affiant is (enter contract title) ________________________________________________________ of _____________________________________________, "the Contractor." Affiant has personal knowledge of the matters set forth in this Affidavit and is competent to testify about them. (2) The Contractor has submitted to the Charter Township of Washington, a "Bid" to enter into the above referenced Contract, also referred to in this Affidavit as "the Work." (3) This Non-collusion Affidavit is executed by Affiant for inclusion with the submission to the Charter Township of Washington of the Bid and may be relied upon by the Township in considering the Bid. (4) Affiant is fully informed about the preparation and contents of the Bid and of all pertinent circumstances surrounding the Bid, has not entered into any contract, combination, conspiracy or other act prohibited by federal, State or any other local Law. The Bid is genuine and is not a collusive or sham Bid. (5) Neither the Contractor nor any of the Contractor 's of the Charter Township of Washington, officers, partners, directors, agents, representatives, employees or parties in interest, including this Affiant, have in any way entered or proposed to enter into any combination to prevent the making of any Bid, or to fix any prices (including overhead, profit or other costs) for the Bid; or have made any agreement, or given or promised any consideration to induce any other person not to Bid for the Work, or to Bid at a specified price; or have secured, proposed or intended to secure through any agreement an unlawful advantage against the Charter Township of Washington or any other person interested in the Work. (6) No officer or employee of the Charter Township of Washington is personally or financially interested, directly or indirectly, in the Bid, or any Contract which may be under it, or in the purchase or sale of any materials or supplies for the Work to which it relates, or any portion of any expected profits thereto. (7) The Bid is not intended to secure an unfair advantage or benefit from the Charter Township of Washington or in favor of any person interested in the proposed Contract. (8) The prices bid are fair and proper and are not tainted by any collusion, conspiracy, connivance, or unlawful agreement on the part of the Contractor or any other of the Contractor 's of the Charter Township of Washington, officers, partners, directors, agents, representatives, employees or parties in interest, including this Affiant; and neither the Contractor nor any of its Charter Township of Washington, officers, partners, directors, agents, representatives, employees or parties in interest, including this Affiant, have divulged any information regarding the Bid or any data about the Bid to any other person. ____________________________________________________________________________________Printed Name Signature Date __________________________________________________________________________________________ STATE OF MICHIGAN, COUNTY OF ________________ Before me, a Notary Public commissioned, qualified and acting, personally appeared (enter name of the person signing this Affidavit) ____________________________________ to me well known to be the person described in and who signed this Affidavit, who being by me first duly sworn upon oath, says that he/she is the attorney-in-fact for (enter Contractor 's Name) _____________________________________________________, that he/she has been authorized by (enter name of individual, partnership name, or the authorized governing body of the Contractor) ________________________________________ to execute this Affidavit on behalf of the named Contractor in favor of the Charter Township of Washington, MICHIGAN, for the uses and purposes mentioned. Subscribed and sworn to before me this _____ day of _________________, 20___. Notary Public: _________________________________ My Commission Expires: _________________________ 26 Appendix H - Conflict of Interest: ______To the best of our knowledge, the undersigned has no potential conflict of interest due to any other Township contracts, or property interest for this proposal. OR ______The undersigned firm by attachment to this form submits information which may be a potential conflict of interest due to other Township contracts, or property interest for this proposal. a. Attach and label “Attachment H – Conflict of Interest Potential Conflict” COMPANY NAME: Contact Person Title Phone E-Mail Address Date(s) and Type of Service(s) Print Name: _____________________________________________ Title: __________ Signature of Authorized Representative: _____________________________________ Company: _____________________________________________________________ Federal Employee Identification Number (FEIN) Tax ID: _________________________ DUNS Number: ________________________________________________________ Payment Terms: ________________________ Warranty: ______________________ Date: _______________ 27 Appendix I – Non-Iran Linked Businesses By signing the proposal/bid, I certify and agree on behalf of myself and the company submitting the proposal the following: (1) that I am duly authorized to legally bind the company submitting this bid; and (2) that the company submitting this bid is not an “Iran-linked business,” as that term is defined in Section 2(e) of the Iran Economic Sanctions Act, Michigan Public Act No. 517 of 2012; and (3) that I and the company submitting this bid will immediately comply with any further certifications or information submissions requested by The Charter Township of Washington in this regard. Print Name: ___________________________________________Title: _____________ Signature: _____________________________________________________________ 28 Appendix J – COMPLIANCE/DISCLOSURE/INDEMNIFICATIONS MICHIGAN IDENTITY THEFT PROTECTION ACT COMPLIANCE Michigan Legal Compliance: the Vendor shall comply with all applicable federal, state, and local laws relating to privacy, security, confidentiality, use, disclosure, storage, transmission and disposal of Personal Information, including the Michigan Identity Theft Protection Act, MCL 445.61 et seq, as amended. Vendor shall implement security measures consistent with Michigan's Identity Theft Protection Act (MCL 445.61 et seq.). Vendor shall notify the Township within twenty-four (24) hours of any actual or suspected breach of resident personal information, including data affected and initial remediation steps. Vendor shall cooperate with the Township in fulfilling any statutory notification obligations and shall bear all breach response costs to the extent the breach is attributable to Vendor's acts or omissions. Print Name: ___________________________________________ Title: __________________ Signature: _____________________________________________ --------------------------------------------------------------------------------------------------------------------------------- AI TOOL DISCLOSURE AND DATA GOVERNANCE AI Tool Disclosure: Vendor shall disclose, prior to contract execution and within ten (10) business days of any change, any artificial intelligence (AI) tools or automated systems used in the delivery of services that process Township data. Vendor shall identify the tool name, the nature of Township data processed, and whether Township data is used to train any AI model. Township data shall not be used to train any AI model without express written consent from the Township. Print Name: ___________________________________________ Title: ______________________ Signature: _____________________________________________ __________________________________________________________________ RANSOMWARE AND CYBERSECURITY INCIDENT RESPONSE Ransomware and Cybersecurity Incident Response: In the event of a ransomware or destructive malware incident affecting Township systems: (a) Vendor shall notify the Township within one (1) hour of detection and begin remediation immediately; (b) Vendor shall provide status updates every four (4) hours during the active incident; (c) no ransom payment shall be made on behalf of the Township without written authorization from the Township Supervisor; (d) Vendor's cyber liability insurance shall be the primary coverage for incident response and recovery costs where the incident originates from or propagates through Vendor-managed systems; and (e) Vendor shall provide a written post-incident report within fourteen (14) days Print Name: ___________________________________________ Title: ______________________ Signature: _____________________________________________ ________________________________________________________________________________ CYBE RSE CU RITY INDEM NIFICATION Vendor shall indemnify and hold harmless the ‘its elected and appointed officials, officers, employees, volunteers, agents, boards, commissions, representatives from and against any and all claims, demands, actions, causes of actions, damages, losses, liabilities, judgments, fines, penalties, costs and expenses, including attorney and legal fees arising from: (a) unauthorized access to Township data on Vendor-managed systems; (b) Vendor's failure to implement required security controls; (c) Vendor's violation of applicable data protection laws including MCL 445.61; and (d) ransomware incidents originating through Vendor-managed systems or tools. Print Name: ___________________________________________ Title: _____________________ Signature: ____________________________________________ 29 Appendix K – RFP Submittal Checklist Task Submitted Background Material: Include a Title Page showing the bid name, bid due date, name of the Vendor and Vendor’s address, telephone number, and email address. Company Background: Provide a general overview of the company and history in field responding to the RFP, including any subcontractors and/or third parties Minor Deviations: Outline any minor deviations from specifications and state them clearly in the price bid Appendix A – IT Environment Inventory Summary Appendix B – Vendor Questionnaire Appendix C – Cost of Services - Appendix C – Cost of Services — Breakdown per Section 13; must include labor detail schedule (see Section 7.7) Appendix D – Implementation Plan - Completed by vendor per the required elements listed in Appendix D; must include total proposed engagement duration Appendix E – Professional Reference Information - Minimum three (3) municipal references, maximum five (5); include all required fields per Appendix E form. Township reserves the right to contact references without prior notice. Appendix F – Signature Page Appendix G – Non-Collusion Affidavit Appendix H – Conflict of Interest Appendix I – Non-Iran Linked Businesses Appendix J – Compliance/Disclosure/Indemnifications Appendix K – RFP Submittal Checklist Cyber Liability Insurance Certificate of Insurance (minimum $2M/$4M per Section 2f) Labor Detail Schedule supporting each Appendix C line item Proposed engagement duration clearly stated in proposal 30 AWARDED BIDDER ONLY: Awarded Bidder agrees to adhere to the attached bid documents, as approved by the Charter Township of Washington Board of Trustees on _________________________. Awarded To: ______________________________________ Total Amount: ____________________________________ Term: ___________________________________________ Printed Name Representative Signature Audrey Brown, Township Clerk Signature