STATE OF NORTH CAROLINA
NC Dept of Public Instruction
Refer ALL Inquiries to: Mike Beaver
Telephone No. 984-236-2366
REQUEST FOR INFORMATION NO. 40-Cybersecurity
Due Date and Bid Opening Date: August 11, 2020
Issue Date: July 21, 2020
Commodity: Cybersecurity Solution
Using Agency Name: Department of Public Instruction
Deliver one (1) signed original executed offer. The files must not be password-protected and must be capable
of being copied to other media. Only offers submitted via electronically (email) in response to this will be
It is the responsibility of the Vendor to deliver the offer in this office by the specified time and date of opening.
Attn: Mike Beaver
Responses shall be emailed to Michael.Beaver@dpi.nc.gov no later than the specified time and date of
NOTICE TO VENDOR
Request for Information (RFI) will be received electronically or at this office at Education Building 301 N.
Wilmington St., Room B04, Raleigh, NC 27601 until 2:00pm ET on the day of opening and then opened.
Submit written questions to Michael Beaver until 12pm EDT (noon) on July 28, 2020. Questions may be
submitted by e-mail, fax or mail to: Mike Beaver.
CITY & STATE:
TELEPHONE NUMBER: TOLL FREE TEL. NO:
TYPE OR PRINT NAME & TITLE OF PERSON SIGNING:
1.0 EXECUTIVE SUMMARY
The COVID-19 pandemic has forced North Carolina schools to shift to a remote, online instruction delivery
model. This significant use of, and reliance on, internet technology makes potential cybersecurity lapses
and failures more damaging. To this, end the NC Department of Public Instruction (NCDPI) is seeking
information on comprehensive, integrated cybersecurity solutions that will provide end-to-end protection of
NCDPI, 115 local education agencies (LEAs), and nearly 200 charter schools. Proposed solutions must
include all necessary components including hardware, software, licenses, maintenance, monitoring,
training, etc. Solutions must all comply with all relevant state and federal laws and with all NC Department
of Information Technology (NCDIT) administrative rules and security policies. The State prefers solutions
that adhere to relevant National Institute of Standards and Technology (NIST) guidelines and frameworks.
The State requests detailed point-by-point responses showing how your vendor would address the items
in the following sections of this RFI:
Section: 3.0 Service Specifications
2.0 RFI PROCEDURES
Respondents will have four weeks to prepare their submissions to this RFI. Responses must be
received by the date, time and the location specified on the cover sheet of this RFI. Respondents may
be required to come to Raleigh, NC or meet virtually to present and discuss their submissions.
Respondents will be notified of the specific date and time at least two weeks in advance of any required
B. Clarification Questions
Clarification questions will be accepted until 12pm EDT on July 28, 2020 as specified on the cover
sheet of this RFI. All questions must be submitted in writing. An addendum containing any general
clarification questions and their answers will be issued as an addendum to this RFI.
The State recognizes that considerable effort will be required in preparing a response to this RFI.
However, please note this is a request for information only, and not a request for services. The
Vendor shall bear all costs for preparing this RFI. This RFI is not a request for offer and no award will
1. Content and Format
The State expects concise, detailed, point-by-point responses to each of the RFI response items
identified in Sections 3.0 Service Specifications of this RFI. The State is not interested in brochures
or “boilerplate” responses. Instead, responses should clearly define how the vendor’s proposed
solution(s) would meet the State’s business requirements. Any issues or exceptions to the State’s
requirements should also be identified and explained.
The response should also include annotated network drawings showing where each of the pieces of
equipment in the proposed solution would be located and how those devices would be
A comprehensive, detailed equipment list including devices and software required for the proposed
solution should be provided. All equipment identified in the response must be commercially
available and in general distribution on or before the pilot go-live date.
The response should define all services that would be required by the proposed solution. The
response should also include:
• The vendor’s understanding of the project and services by addressing the State’s business
• An estimated total cost of ownership to provide the solution to NCDPI and all public school
units, (as defined by N.C. Gen. Stat. 115C-5(7a), including continued compliance with emerging
• The proposed solution’s ability to expand and evolve to serve other sites either inside the
Raleigh area or in other county locations, which also meets all the service and performance
requirements identified in this RFI.
2. Multiple Responses
Multiple responses will be accepted from a single vendor provided that each response is
comprehensive, meets all the state’s requirements, and is truly unique. Please place in separate
envelopes and clearly mark responses as “Response #1, Response #2, etc.”
3.0 SERVICE SPECIFICATIONS
A. Business Specifications
1) Describe how the solution will provide the following cybersecurity services:
• Identify Threats
o Asset Management
o Business Environment
o Active Risk Assessment
o Access Control
o Awareness and Training
o Data Security
o Email Security
o Endpoint Security
o Information Protection Protocols
o Network Firewall
o Security Filtering
o Virtual Meeting Security
o Web Security
o Active Vulnerability Analysis
o Anomaly Detection
o Detection Protocols
o Security Monitoring
o Event Analysis
o Response Planning
o After Action Review
o Data Backup (Immutable and/or cloud based)
o Recovery Planning
2) Describe how the solution will secure all Personally Identifiable Information and other confidential
information as required by state and federal law.
3) Describe how the solution will enable and secure access from multiple entry points with varying
levels of security (homes, offices, etc.)
4) Describe how the solution will integrate with existing NCDPI and LEA network infrastructure and
5) Describe how the solution adheres to relevant National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-53 revision 4 guidelines (available at
6) Describe how the solution complies with all NCDIT rules and security policies (available at
7) Describe the proposed timeline for fully implementing the solution.
8) Describe any part of the solution that will be performed by a third-party. Please identify all such
9) Describe any part of the solution that will be performed outside of the United States. Please identify
all foreign countries where work will be performed.
10) Describe the solution’s pricing model and any alternative pricing models or options.