For context, KEYS is a municipal electric utility that supplies power to residents of the Lower Florida Keys. In 2022, KEYS conducted its first comprehensive security and risk assessment with plans to perform a complete system risk assessment at least every two years.
As a result, KEYS is looking for a qualified consultant to perform a comprehensive security and risk assessment of its IT, operations technology and SCADA enterprise-level IT assets.
According to the bid document, this would include assessing security controls and procedures related to enterprise directory services, firewalls, intrusion detection systems and physical security controls.
Physical servers, virtual servers, network and core switches, routers, firewalls and a subset of desktop computers on two separate networks must also be assessed.
Also required by KEYS are vulnerability scans and penetration testing to identify high-risk assets, along with the following services:
- An external and internal network vulnerability assessment
- A denial-of-service test
- A security configuration review, including but not limited to Active Directory, VMware platform, hardware configurations and patching
- A web application vulnerabilities assessment
- A firewall and perimeter network review for both IT and OT
More detailed information about KEYS BID 16-24, including all submission requirements and requests, can be found online. The proposal deadline is 10 a.m. on June 14.
