City and County of San Francisco (CCSF)

1 South Van Ness Avenue, 2nd Floor

San Francisco, CA 94103-0948

Office: (415) 581-7000

Request for Information (RFI)

Enterprise Patch Management

Published: 23 January 2018

Informational Responses Due:

2 PM PST, 20 February 2018

Purpose

The Department of Technology (DT) and City Cybersecurity Team seek to improve the Citywide Vulnerability Management Program by implementing arobust, comprehensive centralizedEnterprise Patch Management solution that allows separate departments to self-manage their patching securely.DT and theCity Cybersecurity Teamsolicit information from vendors that provide robust comprehensive Enterprise Patch Management solutions, supporting City and County objectives in reducing risks and compromisesthroughout the City’s Information Technology systems.

Introduction

The Department of Technology (DT) and City Cybersecurity Teamare implementing a Citywide Vulnerability and Patch Management Program to identify and reduce vulnerabilities and threats to City systems, networks and data. Remediation will include the assessment and application of critical updates or patches for operating systems, platforms, services, applications and utilitiesin atimely fashion, or as critical updates are published.

DT and the City Cybersecurity Teamisfocusing its phase one efforts on servingdepartments and extended City enterpriseswith an emphasis oncritical City systems, networks, and data currently with nascent or non-active patch management programs.

DT and the City Cybersecurity Team seek a solution that enables departments and Information Technology groups with the transparency and control they need to manage and report risk effectively.

DT and theCity Cybersecurity Team seek information to determine how to formalize cooperative agreement(s) with potential partners. Depending on the approach we decide to pursue, DT and the City Cybersecurity Team may need to engage in a public procurement through a Request for Proposals (RFP). If so, information gathered by this effort may inform an RFP to pursue a particular approach.

RFI Submission Conditions

Inquiry Only – No Contract

This RFI is an inquiry only. No contract or agreement will be pursued as a result of this process. DT and the City Cybersecurity Team will analyze responses and provide recommendations for next steps. Depending on the approach selected, a public procurement through an RFP may follow separately. If so, information gathered by this effort may inform the RFP. The City cannot guarantee that the Project will advance to the public procurement stage or that any subsequent procurement, if there is one, will follow the approach described herein.

Changes to This RFI

The City may at any time, and at its sole discretion modify, amend, cancel and/or reissue this RFI by written addendum.If an addendum is issued prior to the date information is due, it will be published in the same manner, and at the same website location, by which this document is published. Please see

Information Preparation Costs

The City shall not be liable for any costs incurred by the Respondent in the preparation, submission, presentation, or revision of its information, or for any aspect of the Respondent’s pre‐information submission activity. No Respondent shall be compensated for participating in this RFI

Submittal of Confidential Information

Information submitted to the City in response to this RFI is subject to the California Public Records Act (“CRA”) and the City’s Sunshine Ordinance.

Ownership of Submitted Materials

All materials submitted in response to, or in connection with, this RFI shall become the property of the City.

Rights of the City

The City reserves all rights with respect to this RFI including, but not limited to, the unqualified right, at any time and in its sole discretion, to change or modify this RFI, to reject any and all information, to waive defects or irregularities in information received, to seek clarification of information, to request additional information, to request any or all Respondents to make a presentation, to undertake discussions and modifications with one or more Respondents, who, at any time, subsequent to the deadline for submissions to this RFI, may express an interest in the subject matter hereof. No Respondent shall have any rights against the City arising from the contents of this RFI, the receipt of information, or the incorporation in or rejection of information contained in any response or in any other document. The City makes no representations, warranties, or guarantees that the information contained herein, or in any addenda hereto, is accurate, complete, or timely or that such information accurately represents the conditions that would be encountered during the performance of any subsequent contract issued from a separate RFQ or RFP. The furnishing of such information by the City shall not create or be deemed to create any obligation or liability upon it for any reason whatsoever; and each Respondent, by submitting its information, expressly agrees that it has not relied upon the foregoing information, and that it shall not hold the City liable or responsible therefore in any manner whatsoever.

No Personal Liability

No City officer, agent or employee shall be charged personally with any liability by a Respondent or another or held liable to a Respondent or another under any term or provision of this RFI or any statements made herein or because of the submission or attempted submission of information or other response hereto or otherwise.

Information Requested

Respondents are asked toprovide information for a solution that can address the following evaluation criteria:

Scope of Support

Following are DT’s and the City Cybersecurity list of devices and general software included in phase one criteria:

  1. All common desktop operating systems (Microsoft Windows 7+ [all editions], Apple OS) and adjunct desktop service, application, and utility patching.
  2. All common network operating system(MS Windows Server 2008+ [all editions], Linux variants[i.e. Oracle, CentOS, Red Hat, Ubuntu]), adjunct service framework (i.e. Apache Tomcat, Microsoft IIS, Microsoft .net), application, and utility patching.
  3. All commondepartmental database (i.e. Microsoft SQL, PostgreSQL, Oracle), application and utility patching.

Following is a list of devices and software not included in our phase one deployment. Please note if the solution supports, plans on supporting or does not support the following items:

  1. Complex proprietary application suites requiring extensive patch requirements or custom methods of applying patches not lending itself to package distribution. For example, customized PeopleSoft based applications,Software as a Service (SaaS) applications, application platforms requiringcomplexcustom methodologies forpatching.
  2. SCADA (Supervisory Control and Data Acquisition) System patching. (Note: SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation.)
  3. IBM Mainframe (excluded).
  4. IBM System I (AS/400) – AIX, GNU/Linux patching.
  5. Firmware (Desktop, Server, Network infrastructure) updates.
  6. Storage platform firmware/ operating systemupdates or patching. (SAN/NAS – Pure/ EMC)
  7. Network Infrastructure device (switch, router, firewall, load balancer, service appliance) patching.
  8. Google Android device (phones, tablets, Chromebooks) patching.
  9. Apple IOS device (phone, tablet) patching.
  10. IoT (Internet of Things) [Smart TVs) updates and or patching.
  11. ICS (Industrial Control Systems) updates or patching.
  12. Mobile Device Management (VMware AirWatch) platform updates or patching.

Application Platform Design

  1. Describe the solution’s platform architectureor design for a single department implementation.
  2. Describe the solution’s platform architecture or design for enterprise, multi-department implementation/s. Include options and alternative designs.
  3. If the solution is an “add-in” or enhancement to an existing solution, such as Microsoft SCCM, are there additional hardware, network or system requirements and what are they?
  4. Is there support to deploy the solution using virtual systems? If so, what are the requirements?
  5. If the solution requires a back-end database, what databases are supported and or recommended? Include versions and editions, if relevant.
  6. Does the solution provide an option for “Business Continuity” and or “Disaster Recovery”? If so, what are the designs, options and licensing models that pertain to such a deployment?
  7. If the solution has a SaaS option or is a SaaS solution, describe the following:
  8. Connectivity requirements and network security options.
  9. Solution access security models and requirements. How does access security integrate with existing City access controls or directories?
  10. If the solution currently does not have a SaaS option, are there plans to have this as an option, and if so, what are the stated advantages and drawbacks to the vendors proposed service?
  11. How does the solution scale from single department deployment to large scale multi-department enterprise deployments?

Endpoint Deployment

  1. Describe how the solution is deployed or supports endpoints based on operating system and or device type.
  2. Describe push/pull options for agent deployments.
  3. Are agentless deployments supported?
  4. If so, on what platforms?
  5. If both agent and agentless deployments are supported, what are the functional advantages or limitations of deploying one over the other?
  6. What hardware platforms are directly supported for patching, if any? For instance, network infrastructure devices (i.e. Cisco, Palo Alto), storage (i.e. EMC, Pure) or unified hardware platforms (i.e. Oracle EXA, Cisco UCS).
  7. Describe the types of endpoint access security required for deployment of the solution on supported endpoint operating systems and device types.
  8. What access rights are required to apply or scan for patches for specific operating systems or device types?
  9. Describe the solutions endpoint Inventory process.
  10. What data is collected and how is it utilized?
  11. What deploymentoptions are available for roaming devices that connect to the enterprise network infrequently, such as personal or business laptops?
  12. Are the following mixed endpoint deployment scenarios supported?
  13. Enterprise AD Domain?
  14. Departmental AD Domain?
  15. Non-AD Domain?
  16. Workgroup or non-joined standalone system?
  17. Is there a method, via the solution, to remove or uninstall its own agent software, if applicable, from an endpoint? If yes, how so?

Patch Support Library

  1. What desktop operating system endpoints are supported for patching? Please include versions and editions, if applicable.
  2. What network operating system endpoints are supported for patching? Please include versions and editions, if applicable.
  3. What database software endpoints are supported for patching? Please include versions and editions, if applicable.
  4. What application endpoints are supported for patching?
  5. What application, WEB frameworks and services are supported for patching? (i.e. Apache Tomcat, Microsoft IIS, etc.)
  6. What utilities are supported for patching?
  7. Are browser extensions, add-ins or plugins supported for patchingor patch availability? If so, which browsers?
  8. Are virtualization platforms and associated adjunct applications, appliances or products supported? (platforms may include VMware, Microsoft Hyper-V, Oracle VM)? Which ones and which applications?
  9. Are Oracle application products supported? Which ones?
  10. What hardware endpoints are supported? Include device types and vendors where applicable.
  11. How often is the patch library updated?
  12. How soon are new updates available for deployment?
  13. What is the average time to availability for deployment, once a vendor releases a patch?
  14. How extensive and current is the library?
  15. How often and what criteria are used to add new applications or devices to the patch library?

Administration Security

  1. Does the solution support “Role Based Access Controls” (RBAC)?
  2. If so, what functional aspects of the solution can the RBAC be applied to?
  3. Can custom roles be created where common functional attributes be shared and assigned?
  4. Can security groups be created and users assigned based on AD credentials?
  5. What other directories are supported for authentication to the solution?
  6. Are IDs and groups native (non-directory) to the solution supported?
  7. How is a secured multi-tenant design implemented allowing each tenant to view and manage assets limited to their group or tenancy?
  8. How is the administration or management interface deployed (i.e. WEB or desktop application)? What are the respective software requirements and or dependencies needed for the administration application to run?
  9. Can management dashboards be customized?

Execution

Please describe if and how the following function is supported:

  1. Is there “Download and execute” support where one can allow the node to download a patch, but execute it later?
  2. Is there support to run pre- and post-installation tasks?
  3. Are there “Store and forward" options(for example, deploy to a depot location and redistribute locally)?
  4. Are there Reboot controls?
  5. Does the solution provide network bandwidth mitigationcapabilities? If so, describe.
  6. Is there support for scripting?
  7. Is there support for recording/ packaging patches or upgrades to operating systems and or applications?
  8. Is there support for Microsoft Powershell or other CLI?
  9. Can the patch or update package deployment be customized via command line switches or other scripting tools?
  10. What other general functions or capabilities are supported through Microsoft Powershell or the CLI?
  11. Is there support for automated scheduling?
  12. Is there specific support for “priority patching”; functionality that addresses 0 day issues, where speed to rollout is a priority?
  13. Does the solution provide "enterprise-ready" patches? For example:
  14. Silent installation.
  15. Auto update turn off.
  16. Disabled adware.
  17. Shortcuts removed.
  18. End-user license agreement removed.
  19. With regards to endpoint management, how are devices that do not connect to City network regularly, handled (i.e. remote laptops and tablets using VPN)?
  20. Is there a function to uninstall desktop or server components or applications, if necessary?
  21. Are there workflow capabilities to address multi-tier application and database servers that have ordered dependencies for patching? For instance, if the database server is successfully patched, proceed to patch application servers. Once application server tier complete, patch“presentation” servers, etc.
  22. Is there support for patch process lifecycles, where a patch is moved through “evaluate”, “test”, “execute”, and “validate” phases?
  23. Is there virtualization/ hypervisor support? For example, where a virtual machine can be patched offline using mechanisms native to the virtual platform, or where snapshots can be triggered prior to the patch being executed?
  24. Are there ways to recover from a failed patch? For instance, remediation support for back out, rollback, and or restoration of the pre-patch environment.
  25. How are endpoints polled to assess a patch and or vulnerability profile? Can polling occur manually, be scheduled, or use some other automated methodology?
  26. If applications are added to or removed from an endpoint, is the patch profile and or inventory updated? How so?
  27. How are Microsoft O365 “click to run” applications supported?
  28. Does the solution have an ability to create groups of endpoints based on multiple criteria including OS, application, risk or criticality, patch availability, ownership or other meta data based criteria?
  29. Does the solution support mixed domain authentication scenarios for endpoints including…
  30. Enterprise AD Domain
  31. Separate Departmental AD Domain
  32. Non-AD Domain
  33. Workgroup or non-joined standalone system.
  34. What are constraints or issues with regards to mixed domain endpoints in management or execution, if any?
  35. Describe available alert types or other automated messaging available in the solution.
  36. Are there compliance policy enforcement capabilities? For instance, network access to the system can be limited or shutdownvia the solution due to the system being out of compliance with a critical patch.
  37. Does the solution offer alternative external methods for critical remediation of endpoints, such as a WEB site linking to vendor specific remediation sites where vendor patches can be directly downloaded and applied for a specific device, OS, or application? Please provide an example.

Reporting & Auditing

  1. What reports are supplied “out of the box”?
  2. Can reports be customized and or created?
  3. Are there automated report distribution mechanisms?
  4. Does the solution perform patch compliance analysis where it can be determined that an endpoint is at a designated patch level or determined ifpatch/es have been successfully applied?
  5. Provide a gap analysis of patches to be applied?
  6. Provide accurate patch success analysis (%)?
  7. Determine endpoint compliance with patch prerequisites (patch dependencies met) for patch deployment success?
  8. Does the solution support reporting that can be used in ascertaining regulatory compliance reporting for an endpoint?
  9. Can the solution track and audit access and use activity? Can the activity be audited and reported?
  10. If so, what are the mechanisms to do so?
  11. Can the solution provide an application audit orinventory to determine what applications, firmware, or other available version informationispresent on an endpoint?
  12. Are browser add-ins or extensions covered in an endpoint scan or audit?
  13. Are vulnerability assessments and or profile reporting included in the solution?
  14. Depth of patch metadata - Does the vendor provide additional information about the patch to assist with discovery, prioritization and reporting? For instance, criticality of a patch.
  15. License tracking– Can totals be derived for specific applications aggregated by version and endpoint owner/administrator/group/department? Describe.
  16. Can reporting support filtering on various endpoint criteria:
  1. Endpoint owner criteria.
  2. Endpoint asset software criteria.
  3. Endpoint asset hardware criteria.
  1. Are there real time or other performance monitoring functions to measure performance issues related to solution components or when resource constraints are being met?
  2. Describe what metrics the solution can report on.
  3. Describe business intelligence metrics or types of business intelligence reporting supported.

Integration & Compliance

  1. What integration is supported “out of the box”?
  2. In a standard purchasing scenario, are customers normally able to integrate to some of client management or vulnerability assessment tools without professional services?
  3. What APIs are supported?

Following is a list of applications and service platforms. Please describe how the solution either leverages, integrates with, provides or supports similar functionality.