IT Security Audit RFP 2025
Project Information
- Bid Title
- IT Security Audit RFP 2025
- Issuing Agency
- City of Durango
- Location
- Colorado
- Published Date
- Nov 18, 2025
- Closing Date
- Dec 16, 2025
- Government Level
- State & Local
- Status
- Closed
- Original Source
- Join to Access Full Details
- Bid Inquiries
- Join to Access Full Details
- Bid Documents
- Join to Access Full Details
- Project Description
- IT Security Audit RFP 2025
- Attachment Preview
-
REQUEST FOR PROPOSALSIT Security AuditISSUE DATE: November 7, 2025.Information Technology Department949 East 2nd AvenueDurango, CO 81301(970) 375-4994www.DurangoCO.govREQUEST FOR PROPOSALSThe City of Durango, Colorado, by and through its Purchasing Administrator, is accepting proposalsfrom qualified firms for an IT Security Audit in accordance with the terms, conditions, andspecifications contained in these documents.Bidders wishing to participate should ensure they have all addenda prior to submission of the bid.Failure to acknowledge receipt of any addenda applicable to this project could result in the rejectionof your bid.This request for information and any subsequent addenda will be posted to the Rocky Mountain E-Purchasing System website (www.bidnetdirect.com/colorado), then click on Vendor Login or VendorRegistration if you have not already registered. Firms are encouraged to register with RMEPS for allCity bid opportunities.Questions: All questions must be submitted via the Rocky Mountain E-Purchasing System website:(www.bidnetdirect.com/colorado).Question Deadline: November 20, 2025. (Local Time): 3:00 p.m. (MDT)Questions received after the deadline may not be accepted.Responses to Questions: December 4, 2025. (Local Time): 3:00 p.m. (MDT)Submittal Instructions: Submittal requirements are outlined in Section III of this RFP.Project Title: IT Security AuditBid Due Date and Time: December 16, 2025. (Local Time): 3:00 p.m. (MDT)Deliver Proposals via: Rocky Mountain E-Purchasing Systems, www.bidnetdirect.com/colorado.It is the sole responsibility of the respondent to see that the proposal is received before thesubmission deadline. Late proposals will not be considered.All proposals submitted shall be binding upon the respondent if accepted by the City within sixty (60)calendar days of the submission date. Negligence on the part of the respondent in preparing theproposal does not confer a right of withdrawal after the time fixed for the submission of the proposal.This project is being bid in accordance with the City of Durango Purchasing Policy.Bob Grogan, Jr.Purchasing ManagerAdvertised: November 7 & 12, 2025.949 E. 2nd Avenue, Durango, CO 81301I. INVITATION AND BACKGROUNDA. General Information and Scope of WorkThe City of Durango invites all interested, qualified consultants capable of providing an ITSecurity audit.The purpose of this RFP is to:• Identify vendors with expertise to perform an extensive IT security audit.• Understand the methodologies and tools used by vendors to conduct securityaudits.• Gather information on the scope, timeline, and estimated costs associated with theaudit.• Assess the capabilities of vendors in identifying and mitigating securityvulnerabilities.Additionally, the selected vendor will be expected to:• Conduct a thorough assessment of the City of Durango's IT cybersecuritylandscape, including the following systems and areas:o External vulnerability scan penetration testing against a /24 public IP spaceo Internal vulnerability scan/penetration testing with assumed-breachscenario (e.g., stolen laptop with VPN access) against /21 IP space, as wellas IP addresses shared with Sister Government Agencies. Need tocoordinate with Sister IT to avoid possibly violating intergovernmentalagreements.o Public Wi-Fi security analysiso Other specific items?• Evaluate the effectiveness of current security measures and policies for assuringcompliance with CJIS, CORA, and NIST.• Identify potential security vulnerabilities and provide recommendations formitigation.• Perform non-disruptive penetration testing and vulnerability assessments during aplanned outage window coordinated with external agencies.• Provide a remediation plan that demonstrates findings, risks, and suggestedimprovements.• Provide a report on what was tested and what was not tested.• Have at least 5 years of experience performing similar vulnerability assessments fororganizations with similar complexity and compliance requirements. Also hold thefollowing certifications OSCP/OSCE.B. City BackgroundCity of Durango Cyber Security Profile:• Cyber security team with two dedicated analysts• Endpoint protection deployed on all endpoints and servers.• Ongoing required cyber training for all users with simulated phishing exercises• Internal vulnerability scanning across multiple business VLANS.• HA Firewalls on the edge of the environment, monitoring north / south traffic.• Internal firewalls segmenting the business network from SCADA operations, monitoringeast / west traffic.• VPN solutions deployed on both hardware and software solutions• SaaS and private cloud applications with SSO deployed with MFA.• Private cloud is hosted within redundant data centers• Cyber-security policy library\• Full-service city with airport, water treatment, police, fire, inter-agency cooperation withother local governments, etc.C. RequirementsThe selected vendor will conduct the security audit in two distinct phases:1. External AssessmentPerform external vulnerability scanning, penetration testing, and risk assessment acrossxx public IP addresses.2. Internal AssessmentConduct internal vulnerability scanning, penetration testing, and risk assessment acrossboth/a/24 and two/21/21 internal network segments.The awarded vendor will be provided with VPN access and an organizational useraccount to facilitate this portion of the engagement.The following features should be highlighted by the contractor’s proposal.• Overview of the company, including history and areas of expertise, as well as similarprojects completed in the past• Detailed description of the proposed audit methodology.• Examples of previous IT security audits performed, including outcomes and clientreferences, as well as redacted results of previous assessments.• Proposed timeline for completing the audit.• Estimated cost for the audit.D.General Information1. Time is of the essence, and any submittals received after the announced time and datewill be rejected. It is the sole responsibility of the Respondent to ensure that their RFI isreceived by electronic submission at www.bidnetdirect.com/colorado by the due date andtime.2. Nothing herein is intended to exclude any responsible firm or in any way restrain orrestrict competition. On the contrary, all responsible firms are encouraged to submit aresponse. The City reserves the right to reject any or all submittals.3. Identify the firm’s name, location of office(s), and website.▪ Provide a brief description of your firm, including how long your firm has been in business.▪ List the primary contact, with name, address, phone number, and email information. Identify otherkey individuals (name and position).▪ Provide the names and telephone numbers of at least three (3) client references of similar scopewith a brief descriptionII. PROPOSED SCHEDULEPROPOSED SCHEDULEProject’s 1st PublicationProject’s 2nd PublicationContractor Questions DueFinal Addendum Issued by PurchasingProposals DueInterviews if necessaryNotice of AwardNotice to ProceedNovember 7, 2025.November 12, 2025.November 20, 2025. 3:00 PM Local TimeDecember 4, 2025. 3:00 PM Local TimeDecember 16, 2025. 3:00 PM Local TimeJanuary TBD, 2026.Estimated week of February TBD, 2026.Estimated week of February TBD, 2026.III. INSTRUCTIONS TO PROPOSERSA. General1. Submit Bids electronically via www.bidnetdirect.com/colorado prior to deadline. Pleasesubmit all your required documents in a single PDF file in the bidder’s company name.Late proposals will not be accepted.2. All Bids must be a maximum of 30 pages in a minimum 12-point font. All pages with wordscount towards the page limit.3. Retain one copy for your records.4. Successful Contractor must have or obtain a current City Business License upon award ofthe contract.5. Successful Contractor must complete a W-9 form (Taxpayer Identification No.) upon award.6. The City of Durango is exempt from all local, state, and federal taxes.
- Commodity Codes
-
- NAICS 541211Offices of Certified Public Accountants
- NAICS 541519Other Computer Related Services
- NAICS 561612Security Guards and Patrol Services
- NAICS 561621Security Systems Services (except Locksmiths)
* Disclaimer: Government BidHub provides information on bids, RFPs (Requests for Proposals), and RFQs (Requests for Qualifications) solely for convenience and informational purposes. This site is not an official public notice board. For official details, responses, or inquiries, please contact the relevant government agency directly.
Empower Your Bidding Strategy
Unlock Government BidHub's unparalleled access to high-quality, tailored bid information.
- Access an extensive database of bids, including comprehensive local and state opportunities.
- Receive customized alerts for the bids that matter most to your business.
- Explore detailed specifications to ensure precise and competitive submissions.
- Gain a competitive edge with up-to-date information and exclusive opportunities.
See Also
Description: FY 27 UCR/CR Evaluations Department: CDHS - Office of Behavioral Health Buyer:
State Government of Colorado
Bid Due: 6/30/2027
Description: Foster Support Department: CDHS - Office of Children Youth and Family Buyer:
State Government of Colorado
Bid Due: 7/28/2026