1. Goal
  2. To help ensure our response meets the goal of the project as stated in section 3, please describe: Specific information with respect to CNB goals, strategic plans and ERM will be provided to the winning bidder.
  3. CNB’s goals
  4. The CNB strategic plan
  5. CNB’s Enterprise Risk Management initiative
  6. Scope
  7. Approximately how many interviews of relevant CNB personnel do you foresee? 20-30, or as many as is common for this type of assessment.

b.  Approximately how many locations will require a site visit? 3 or 4 (Catoosa, West Siloam Springs, Stilwell, Tulsa)

  1. What is the size of your IT organization? Approximately 120 employees.
  2. How is your IT organization structured? IT Security, Infrastructure, IT Surveillance, Enterprise Apps, PMO and Development, Support Operations, Business System Consulting, Account Managers.

e.  Are IT services centralized or distributed across your locations? Primarily centralized in Catoosa, with limited staff and resources at remote locations.

  1. Are any IT services outsourced? If so, which ones? No.

g.  Are your IT processes centralized / standardized across locations? Primarily centralized in Catoosa with some standardization.

  1. How many unique server images / configurations does CNB utilize? Please provide a description of each. We utilized a mixture of primarily Windows Server OSs from 2000 to 2008 R2. Most servers are customized for specific needs.
  2. How many unique PC images / configurations does CNB utilize? Please provide a description of each. We utilize a mixture of XP SP3 and Windows 7 SP1. These are based on about 10 images that we customize based on service needs.

j.  How many unique network device images / configurations (e.g. router, switch, firewall) does CNB utilize? Please provide a description of each. Many; configurations and devices are specific to need and entity as required.

  1. Are you looking for the vendor to analyze the configs of all software applications? No.
  2. Are you looking for the vendor to identify any PII, PCI, HIPAA or similar compliance issues? If so, specifically which ones? PCI, ITAR, HIPAA, FAR, Gaming. Additional requirements noted should be communicated and any associated risk quantified.
  3. With respect to the requirement to “identify and describe high-risk areas,” what is the criteria CNB uses to classify a risk as “high,” or would you like the vendor to provide a classification? Vendor provided with definitions.
  4. With respect to the “recommendations” deliverable, would CNB like the vendor to include an implementation approach, resources, potential cost and estimated timeline, or will CNB develop this implementation roadmap? Vendor provided for any item that is of significant risk.
  5. What version(s) of the following applications has CNB deployed? Specific versions will be communicated to the successful bidder.
  6. PeopleSoft Financials
  7. PeopleSoft HCM
  8. PeopleSoft CRM
  9. Kronos
  10. Deltek
  11. Accura
  12. IGT Advantage
  13. Micros POS
  14. Opera Hotel
  15. SharePoint
  16. IIS
  17. Exchange
  18. TERO fees – The $25/day fee will not apply on this project but the ½ of 1% of the total contract award that is included in the proposal.
  19. TERO fees include 0.5% of total contract award. Does “total contract award” include travel expenses?
  20. TERO fees include $25 per non-Indian employee working on this project per day if working on a Cherokee Nation location. Does “working on a Cherokee Nation location” mean “physically at a Cherokee location for any length of time on a given day,” or just each day they are working on the Cherokee project?

4.  Can you provide a list of the types of network devices you have on your network. For example of the 2000 devices 200 are switches etc… 66% Switches, 29% Access points, 3% routers, 1% firewalls.

5.  Can you provide a list of the types of endpoint devices you have on your network. For example of the 3000 devices 1000 are laptops, 500 are mobile etc… Approximately 50% Desktops, 50% portables.

  1. As a standard part of a risk assessment we typically perform vulnerability assessments to audit end points. Do you want a VA run as part of this engagement? If so would you want it for all of the end points or a sampling? No.
  2. As a part of this RA, do you require a specific audit/assessment of each application you have listed – ie. Peoplesoft, Micros POS etc…? No; however overall architecture of systems to support business objectives and disaster recovery should be in scope.
  3. Can you provide a list of the documents you will have available to the successful bidder to support primary objective #1? Organization charts, policies and procedures, system diagrams, project lists, strategy information, product/service lists, other as needed.
  4. What location(s) are your key personnel located at? Catoosa, West Siloam Springs, Tulsa, Stilwell
  5. Are site visits required for all 50 locations? No
  6. Can you provide a description of the communication links – specifically from the remote locations back to the data centers? Layer 2 multi-point transparent LAN with access rates varying from 500Mbs to 1.5Mbs.
  7. Patriot uses NIST and ISO as our framework for risk assessments – are those acceptable standard for this engagement? Yes
  8. When was the last time you had a risk assessment completed and if one was completed can it be reviewed as a part of this assessment? Internal Audit prepares, at least annually, a risk assessment. Yes it can be reviewed as part of this assessment.
  9. Are you able to purchase off of Federal government contracts – ie GSA Schedule? Yes.
  10. Any external VA testing required/desired? If so please provide # of external facing hosts? No.
  11. Does CNB anticipate a follow-up RFP to address the deficiencies identified in this audit? Yes; however, the winner of this assessment is precluded from participating in remediation efforts.
  12. Would that vendor performing the analysis be eligible to bid that project, or eligible to provide oversight to ensure the deficiencies are properly addressed? No, as stated in the bid package.
  13. Will you want a review of physical security for all sites, data center site, or physical out of scope? Physical security is out of scope.
  14. Do you want a review disposal of drives? If so, is this inclusive all devices or data center only? No.
  15. Can you please remove the requirement in Section II, 4.04 of the RFP, shown below? This requirement applies to construction related bid packages: This will not be removed. Only the ½ if 1% of the total contract award will be applicable. The $25/day fee is not applied here.

The requirement states as follows, "4.04 Tribal Employment Rights Office, “TERO,” requirements apply including fee of ½ of 1% of total contract award. Successful bidder must complete TERO Labor Agreement and pay all applicable fees, including $25 per non- Indian employee working on this project per day if working on a Cherokee Nation location. Please refer to Cherokee Nation Legislative Act 30-12 dated 8/13/12 repealing and superseding Cherokee Nation law regarding Labor and Employment Rights Ordinance and Declaring an Emergency. The complete Act is available by contacting the TERO office at Tahlequah, 918-453-5000. TERO bidders are required to provide a copy, front and back, of their TERO certificate with return bid(s)."

  1. The RFP mentions +/- 50 locations being supported by CNB IT. Would CNB like to have all of these locations included within the assessment, or a sampling of locations? Please list each geographic location CNB would like included in the scope of this engagement along with an approximation of users and servers at each location. Catoosa, West Siloam Springs, Tulsa, Stilwell all in Northeast Oklahoma. Most primary systems are housed at Catoosa and Stilwell with secondary in West Siloam Springs.

22.  What regulations is the company required to adhered to? (SOX, HIPAA, PCI, etc.) PCI, ITAR, HIPAA, FAR, Gaming. Additional requirements noted should be communicated and any associated risk quantified.

23.  How large is the IT department? How many sub-groups exist within IT? Approximately 120, Divided into IT Security, Infrastructure, IT Surveillance, Enterprise Apps, PMO and Development, Support Operations, Business System Consulting, Account Managers.

  1. Does the company have an information security infrastructure and dedicated staff / team? Yes.

25.  Does the company have information security policies? If so, how many? Yes, Approximately 15 security specific with various security related items included in policies and procedures throughout.

  1. Does the company use a common framework to develop its security program? If so, what level of documentation exists? No.
  2. Does the company develop custom software to support business operations? Yes, but limited.

28.  How many applications, databases, and networks are utilized within the company? 120+ applications,116 servers database servers with 1,300 databases, 4 physical networks with approximately 300 segments

29.  Has the company had an independent security review in the last 24 months? Several Internal Audit reviews no 3rd party reviews.

  1. Does the company outsource any of its IT operations? If so, what functions are those functions? No.
  2. Does the company outsource any of its security operations? No.
  3. Does the company use any Software as a Service (SaaS), hosted applications or services, or cloud computing for critical or sensitive IT functions? Yes, but limited. Salesforce, Brightree and Showare are the primary SaaS solutions.
  4. Is there a pre-established budget for this project? Could you please provide the budget figure? No.
  5. Is there a set-aside and/or any special considerations for this opportunity to prefer small disadvantaged businesses, woman-owned businesses, economically disadvantaged woman owned small businesses, and/or minority-owned businesses? The only preference given is to TERO certified vendors
  6. Is this the first time that the Nation will contract a vendor for a project with this (or similar) scope? Yes.
  7. Could you please name the previous successful contractor and the amount of the last successful bid? N/A.
  8. Further, if there is an incumbent, what is the reason that the Nation is looking to contract a new vendor for this requirement (e.g. poor performance by previous vendor, conflict of interest issues, etc.)? N/A.
  9. During evaluation of proposals received, will any preference/points be awarded for vendors that submit references from government organizations or other Indian tribes? Is it preferred that the contractor have such experience? Experience with similar entities will be part of the consideration. Specifics on scoring will not be provided.
  10. Is there a preference for a local firm (or one that is more accessible)? Will this go against a vendor who is not local or not more accessible, in the scoring process? If so, please specify the point deductions applicable. Location of bidder is not a material consideration outside of potential material differences in T&E expenses.
  11. What is the most preferred start date for the project for the Nation? May or a reasonable date agreed to by both parties.
  12. Page 10 (2nd paragraph) of the RFP document provides a good high-level overview of the technical infrastructure in scope. Could you please confirm if individual configuration-level security reviews of said technical components are within the scope of this project? If so, please specify what components will need to undergo configuration reviews and how many per type. Device level configurations are not in scope; however, architectural configurations in support of business objectives and disaster recovery should be reviewed.
  13. Is external scanning and/or penetration testing is part of the scope? If so, please provide the total number of live external IP addresses that will be a part of the external scanning assessments? An approximate number is what we are looking for to be able to estimate pricing. No, this is not a penetration assessment.
  1. Is internal scanning and/or penetration testing is part of the scope? If so, please provide the total number of live internal IP addresses that will be a part of the external scanning assessments? An approximate number is what we are looking for to be able to estimate pricing. No, this is not a penetration assessment.
  2. How many different locations are expected to be involved for on-site visits and/or technical activities (e.g. on-site audits, etc.)? Could you please provide a physical address for these locations and an approximate idea of the physical proximity of these locations to one another (e.g. main location is 123 Auditsville Avenue, Networksburg, OK 12345; all other locations within a 20 mile radius of main location)? Catoosa, West Siloam Springs, Tulsa, Stilwell all in Northeast Oklahoma. Most primary systems are housed at Catoosa and Stilwell with secondary in West Siloam Springs.
  3. Pertaining to the statement, “there are approximately 450 physical and 350 virtual servers, 2,000 network devices and 3,000 managed end-user devices” does this refer to back office equipment or is the gaming floor included in these totals? Includes gaming support infrastructure; excludes gaming machines.
  4. How many firms have been solicited by CNB to provide their services for this RFP? N/A
  5. Would CNB be open to a meeting with vendors before the submittal response date of April 12? After the initial evaluations, at CNB’s discretion, meetings may be held with top bidders.
  6. Confirmation that the totality of the systems CNB would like to be in the scope (those defined in the RFP) are, in fact, the same that support this list of enterprises: This is not a complete list of applications; however, those listed are primary applications to support the business units. Detailed review of each application in the environment will not be required to suffice this RFP.

Cherokee Nation Businesses (7 Divisions, 20 Business Units)

1. Environmental & Construction – 2 business units

- Cherokee Nation Cherokee CRC - Cherokee CRC (CCRC) is an environmental, construction and professional services company that provides clients with custom tailored services that fit their specific needs

- Cherokee Nation Construction Services - Cherokee Nation Construction Services (CNCS) offers highly skilled, professional, technical and administrative support teams for government and commercial clients

2. Healthcare – 4 business units

- Cherokee Nation Assurance - Cherokee Nation Assurance (CNA) is a technology solutions provider specializing in delivering information technology, management consulting program support and professional support services

- Cherokee Nation Healthcare Services - Established in 2009, Cherokee Nation Healthcare Services (CNHS) provides medical supplies and a wide range of services, including financial recovery, patient appointing, recruiting, credentialing and placement of clinical, administrative and housekeeping personnel for numerous federal agencies and commercial clients