DATE: December 14, 2021
TO: Board of Supervisors
SUBMITTED BY: Hollis Magill, Director, Human Resources
Paul Nerland, County Administrative Officer
Robert Bash, Director, Internal Services/Chief Information Officer
SUBJECT: Agreement for Cyber Preparedness Consulting Services
RECOMMENDED ACTION(S):
TITLE
1. Make a finding that it is in the best interest of the County to suspend the competitive bidding process consistent with Administrative Policy No. 34 for unusual or extraordinary circumstances as GlassRatner Advisory and Capital Group, LLC, dba B. Riley Advisory Services is the only vendor that can provide continuity of services as initiated in Procurement Agreement P-21-275; and
2. Approve and authorize the Chairman to execute an Agreement with GlassRatner Advisory and Capital Group, LLC, dba B. Riley Advisory Services, to provide urgent and necessary cyber preparedness consulting services from January 1, 2022 through December 31, 2024, which includes a one-year base contract and two optional one-year extensions, total not to exceed $305,000.
REPORT
There is no increase in Net County Cost associated with the recommended actions as sufficient appropriations and estimated revenues are available in Human Resources - Risk Management’s (HR-Risk) Org 8925 FY 2021-22 Adopted Budget. Approval of the recommended actions will allow for a comprehensive countywide evaluation of cyber threat vulnerabilities and provide recommendations and plans for mitigating risks associated with the vulnerabilities. The scope of work outlined in the recommended agreement was developed based on the recommendations of a previous review and audit by Riley Advisory Services (B. Riley) of associated county functions. This item is countywide.
ALTERNATIVE ACTION(S):
Your Board could choose to not approve the recommended actions; however, the County would not receive needed cybersecurity evaluation and risk mitigation or have expert assistance in the development of a County Cyber Preparedness Plan.
SUSPENSION OF COMPETITION/SOLE SOURCE CONTRACT:
The Department’s request to waive the competitive bidding process is consistent with Administrative Policy No. 34 as B. Riley is the only vendor that can provide continuity of services as initiated in Procurement Agreement P-21-275. The services requested in this agreement will be provided based on the findings and recommendations of an independent review by B. Riley of technical and process controls in relation to cyber security and preparedness. The Internal Services Department (ISD) - Purchasing Division concurs with the HR-Risk’s request to suspend the competitive process.
FISCAL IMPACT:
There is no increase in Net County Cost associated with the approval of the recommended actions. The maximum compensation in FY 2021-22 is $260,000; $305,000 for the term. Sufficient appropriations and estimated revenues are included in the HR - Risk Org 8925 FY 2021-22 Adopted Budget and will be included in subsequent budget requests.
DISCUSSION:
In July of 2021, B. Riley was retained under Procurement Agreement P-21-275 and subsequent Amendments I and II to complete a comprehensive forensic factfinding and evaluation of specific department vulnerabilities to social engineering and other cyber-based threats. B. Riley concluded the evaluation in November of 2021, and as a result recommended that the County engage in a cyber security evaluation to address the items identified in the evaluation. Further, it was recommended that the County prepare a cyber preparedness plan to address continuing threats. Based on the array of services provided by B. Riley and the ability to provide continuity of services, HR-Risk, the County Administrative Office and ISD - Information Technology Services Division (IT) is recommending that the County expand the services provided by B. Riley to include a detailed cybersecurity assessment and the development of a countywide cyber preparedness plan to address intrusion threats and risk mitigation.
The work provided by B. Riley will consist of a multi-tiered approach that will take place in seven stages. The initial stage will focus on the perspectives of the ISD-IT on existing cyber security measures and perspectives into the adoption of cybersecurity policies and procedures. This phase will be followed by assessments of each of the County’s twenty Departments, allowing B. Riley to obtain the organizational perspective surrounding cybersecurity. Subsequent stages will include staging of realistic incidents through tabletop exercises and empirical testing using targeted phishing and social engineering scenarios, penetration testing, and malware simulations with select departments. B. Riley will then complete a dashboard report which will allow the County to easily identify any vulnerabilities and a plan for targeting those vulnerabilities. A strategic County Cyber Preparedness Plan will be developed to provide a comprehensive approach to establish standards based on industry-standard cybersecurity practices and tailored to address the needs unique to the County. Once these stages are complete, B. Riley will return to measure the progress in implementing the suggested practices, policies, and procedures.
The recommended agreement authorizes B. Riley to conduct the services described. This agreement may be terminated by either party without cause upon issuance of a ten-day written notice of termination to the other party. The agreement may be extended beyond the initial term and should the need for these services continue beyond December 31, 2024, options will be evaluated and presented to your Board.
ATTACHMENTS INCLUDED AND/OR ON FILE:
Suspension of Competition Acquisition Request Form
On file with Clerk - Agreement
On file with Clerk - Procurement Agreement
CAO ANALYST:
Yussel Zalapa