1. Install and configure 4 redundant next-generation firewalls at 4 locations with the referenced capabilities: a. Main Site Firewall – 2 redundant, enterprise-grade, next-generation firewalls at the KIB main building at 710 Mill Bay Rd. with minimum performance specifications of 10 Gbps firewall throughput, 2 Gbps IPS throughput, 1 Gbps VPN throughput, Multi-Wan support with load balancing and failover, advanced threat protection features, integration with centralized management platform, 3-year premium support including advanced threat protection, IPS updates, application control, Web/DNS filtering, and antivirus updates. i. This location must include Industrial Systems Security (ISC) capabilities such as real-time monitoring and visibility of industrial control systems, detection and protection for industrial protocols and applications, automated vulnerability assessment for industrial systems, virtual patching capabilities for legacy industrial systems, compliance reporting for industrial security standards, industrial-specific threat intelligence and updates, and integration with main security infrastructure. b. Three satellite location firewalls – redundant, enterprise grade next-generation firewalls providing enterprise-grade, next-generation firewall capabilities with support for dual-WAN connections, site to site VPN capabilities, integration with main security fabric and 3-year premium support. i. 1 of these locations must include Industrial Systems Security (ISC) capabilities such as real-time monitoring and visibility of industrial control systems, detection and protection for industrial protocols and applications, automated vulnerability assessment for industrial systems, virtual patching capabilities for legacy industrial systems, compliance reporting for industrial security standards, industrial-specific threat intelligence and updates, and integration with main security infrastructure. ii. One of these locations must include 2 cellular backup units providing dual SIM 4G LTE support with a minimum of 300 Mbps download/150Mbps upload speeds, 5x configurable GE WAN/LAN ports, PoE support (802.3af/at), and 3-year premium support. 2. Install and configure 23 enterprise switches with the referenced capabilities: a. Core switching platform: i. 3 enterprise-grade switches providing 48x 10GE SFP+ ports per unit, 6x 40GE or 4x 100GE uplink ports per unit, advanced layer 2/3 functionality, security platform integration, redundant power supplies and 3-year enterprise support. b. Access-Layer PoE switches: i. 3 enterprise-grade PoE+ switches with 48x GE ports, 2-4x 10GE uplinks, 770W+ PoE budget, layer 2/3 functionality, security platform integration and 3-year enterprise support. c. Mid-Range PoE+ Switches: i. 11 mid-range switches with 24x GE ports, 4x 10GE uplinks, 420W+ PoE budget, security platform integration and 3-year enterprise support. d. Compact PoE Switches: i. 6 compact switches with 8x GE ports, 2x uplink ports, 130W+ PoE budget, security platform integration and 3-year enterprise support. 3. Install and configure 32 enterprise wireless access points with the referenced capabilities: a. 32 enterprise-grade wireless access points with tri-radio Wi-Fi 6+ design. Access Points must also have built-in antennas, a 2.5 GbE primary port, a 1 GbE secondary port, Bluetooth 5.0, security platform integration and 3-year enterprise support. 4. Install and configure a management and security analytics platform with the referenced capabilities: a. A virtual appliance providing a minimum of 5 GB/Day log processing capability with centralized security analytics, automated incident response, threat intelligence correlation, virus and threat outbreak detection, industrial security features including ICS analytics, compliance reporting, event correlation, automated response workflows and a 3-year subscription. b. The security and analytics platform will also include 75 endpoint licenses providing advanced endpoint security protection, secure remote access, zero-trust capabilities, on-premises management capabilities, and a 3-year subscription with support. c. This platform will also have a centralized interface for managing security policies, managing configurations, monitoring, reporting, configuration management, reviewing performance analytics, and will integrate with existing systems such as active directory, and other security platforms. 5. All configured firewalls, switches, wireless access points and endpoints must: a. Share consistent security policies, support automated provisioning, enable coordinated threat response, provide unified logging and reporting, support rolebased access control, be capable of automated workflow creation, support APIbased integration and maintain a consistent security posture. b. Be configured with network segmentation based on the NIST principle of least privilege, consisting of a public facing zone, internal/trusted zone, sensitive data zone, ISC SCADA zone, contractor remote access zone and management zone. These zones will have layer 7 traffic inspection, use a zero-trust approach, and support granular ACL’s as well as including detailed traffic logging between zones, and application aware traffic management
