Report to Mayor and City Council
Tuesday, January 23, 2024
Consent
SUBJECT:
Title
CONSIDERATION OF APPROVAL OF CONTRACT FOR 24X7 SECURITY OPERATIONS CENTER WITH ULTRAVIOLET CYBER INC. (CITY COUNCIL)
Body
I. SUMMARY
On November 9, 2023, the Purchasing Division released an RFP (No. 23-045) for 24x7 Security Operations Center (SOC) services. The purpose of the Security Operations Center is to enhance cybersecurity readiness by identifying, monitoring, and addressing cybersecurity threats and mitigation through appropriate and up-to-date industry best practices and security techniques. The 24x7 SOC staff are based in multiple time zones to support rapid remediation and restoration of services to mitigate, control, and manage business interruption caused by cyberattacks. The SOC will coordinate with ITS staff to strengthen the City’s security posture through integration of managed detection and response, security information and event management, real-time assessments of vulnerability data, testing and simulations. Ultraviolet Cyber Inc. does not utilize vendors or temporary staff to provide their SOC services. In addition, only United States citizens located in the United States are assigned to the City’s Security Operations Center unit. Staff requests City Council to award and approve a contract with Ultraviolet Cyber Inc. for 24x7 Security Operation Center services for a period of 6 years and 6 months, for a not to exceed cost of $1,667,100.00. The agreement term accounts for a 6 month period to allow for onboarding and implementation.
II. RECOMMENDATION
Recommendation
1. APPROVE a contract with Ultraviolet Cyber Inc. for 24x7 Security Operations Center Services for an amount not to exceed $1,667,100 for a total term of 6 years and 6 months; and
2. AUTHORIZE the Mayor to execute the contract after approval as to form by the City Attorney.
Body
III. ALTERNATIVES
TAKE another action the City Council deems appropriate.
IV. BACKGROUND
The City of Carson has elevated the prioritization, operational focus, and ongoing commitment on cybersecurity, in response to an increasing quantity and severity of cyberattacks on public sector and private sector firms. In addition to strategic internal realignment of staffing and operations within a cybersecurity centric operational framework, the City will enhance its cybersecurity readiness by contracting with a 24x7 Security Operations Center. The SOC operates on a scalable business model and can efficiently allocate an appropriate number of expert staff to meet the needs for management of a significant security incident. The City’s SOC will also leverage threat intelligence from their clients across federal, state, local government agencies, and a variety of private sector industries, providing recommendations based upon security profiles and operational risk. Finally, as a requirement of the City’s Cyber Liability insurance with PRISM, the City participates in a cybersecurity health check on a scheduled basis. A recommendation of the most recent PRISM cybersecurity health check is for the City to contract with a third-party Security Operations Center vendor.
The Purchasing Division released an RFP (No. 23-045) for 24x7 Security Operations Center (SOC) services. The bid opening was held in the City Clerk’s Office on November 27, 2023. There were three (3) bid responses. A temporary Security Operations Center committee was formed to evaluate, interview, and rank the bidders. Ultraviolet Cyber Inc. was chosen by the City’s Internal Security Operations Center Committee as the recommended vendor. Staff’s due diligence completed over several meetings determined that Ultraviolet Cyber Inc. meets all RFP requirements, City’s contractual terms and conditions, and the selection was made in compliance with Section 2611(c) of the City’s Purchasing Ordinance which permits the City to award professional services contracts based on demonstrated competence, the professional qualifications necessary for satisfactory performance of the required services, and a fair and reasonable price. Ultraviolet Cyber Inc.’s proposed costs were reasonable and within the City’s budget at $50,000 for the SOC implementation, $250,000 for the first-year security operations center costs, and an annual inflator of 3% effective each renewal year of security operations center costs ($257,500 for second year) for a total 6-year and 6-month term.
Finally, it should be noted that whereas typically City’s consultant contracts allow City to terminate with or without cause upon 30 days’ written notice given to the consultant, the proposed Ultraviolet Cyber Inc. contract will require City to provide 60 days’ written notice. Additionally, where City terminates without cause, City must reimburse the consultant on a pro-rated basis, an amount not to exceed $25,000 for any monies advanced by consultant for City’s benefit toward procurement of security software licenses. Consultant will not pay more than $25,000 per year for such purpose.V. FISCAL IMPACT
The cost associated with the 6-year and 6-month contract with Ultraviolet Cyber Inc. is not to exceed the amount of $1,667,100. The annual maintenance cost is $250,000 with a 3% annual inflator at renewal, and a one-time implementation cost of $50,000. The Information Technology & Security Department will include the annual maintenance cost of the contract ($257,500 for second year) in the proposed 2024-2025 fiscal year and subsequent years in account number 101-54-520-101-6004.
VI. EXHIBITS
1. Contract with Ultraviolet Cyber Inc. (pgs. 4 - 39)
Prepared by: Gary Carter, Director, Information Technology&Security Department