Specifications include, but are not limited to: The City of Rockville is seeking a qualified firm to provide Security Assessment Services. The City intends to undertake a comprehensive third-party cybersecurity assessment that will thoroughly review the current state of its entire information technology infrastructure and security to identify vulnerabilities in its systems, policies, controls and practices; and develop a prioritized road map of activities with a clearly defined set of actions to mitigate and remediate the risks identified. This assessment will be the first comprehensive assessment for the City in the last two years. The assessment must utilize industry best practice methodologies to ensure a standardized risk mitigation approach that will offer the highest risk reduction potential. The approach will complement the NIST Cybersecurity Framework and follow the 20 Center for Internet Security (CIS) Controls Measures and Metrics for Version 7. Additionally, this effort will benchmark the City’s current cybersecurity posture to the NIST Cybersecurity Framework and identify both the strengths and areas for improvement in the existing Information Security Program and develop an appropriate information security improvement roadmap and target state based on the City’s threat and vulnerability profile; and aligned to Zero Trust architecture modeling. Identifying both the strengths and areas for improvement in the existing Information Security Program by comparing it to industry leading standards and best practices of latest NIST Cybersecurity Framework that should align to CIS/SAN Top 20 Critical Security Control and Zero Trust architecture modeling. The City of Rockville anticipates awarding a single contract to the selected vendor. The period of performance will be from the date of execution of a contract through September 28, 2018. All work must be completed by this date and final invoice must be submitted by October 26, 2018. The assessment is to include, but not be limited to: 1. Vulnerability/Compliance Assessments 2. Risk Assessment 3. Penetration Tests 4. Information Security Program Assessment 5. Data Loss Prevention