Vulnerability Assessment, Cybersecurity Audit, & Penetration Testing Services

Location:	California
Posted:	Dec 6, 2025
Due:	Dec 15, 2025
Agency:	Marina Coast Water District
Type of Government:	State & Local
Category:	Q - Medical Services R - Professional, Administrative and Management Support Services
Publication URL:	To access bid details, please log in.

Attachment Preview

Marina Coast Water District

Request for Quotes (RFQ)

Vulnerability Assessment, Cybersecurity Audit, & Penetra�on Tes�ng Services

RFQ No.: MCWD-VCAP-2025

Issue Date: 11/18/2025

Deadline for Submission: 12/15/2025

I. Introduc�on

Marina Coast Water District (MCWD) invites qualiﬁed vendors to submit writen quotes for

Vulnerability Assessment, Cybersecurity Audit, and Penetra�on Tes�ng services. This procurement is

funded by the State and Local Cybersecurity Grant Program (SLCGP), administered by the U.S.

Department of Homeland Security (DHS) and the California Governor’s Oﬃce of Emergency Services

(Cal OES).

As funding for this grant is provided by the federal government, all ac�vi�es must comply with 2 CFR

Part 200 – Uniform Administra�ve Requirements, Cost Principles, and Audit Requirements for

Federal Awards (“Uniform Guidance”), including:

• Full and open compe��on (§ 200.319)

• Conﬂict of interest avoidance (§ 200.318)

• Cost reasonableness and price analysis (§ 200.404, § 200.320)

• Suspension and debarment compliance (§ 200.214, 2 CFR Part 180)

• Required contract clauses (Appendix II to Part 200)

MCWD is a public water and wastewater agency serving the City of Marina and the Ord Community.

The District provides potable water, recycled water, and wastewater collec�on services to residen�al,

commercial, and ins�tu�onal customers, including cri�cal facili�es. Its service area includes both

urban neighborhoods and former military lands undergoing redevelopment. This procurement

supports MCWD’s cybersecurity program by assessing vulnerabili�es, valida�ng controls, and tes�ng

defenses in alignment with SLCGP objec�ves and industry best prac�ces.

MARINA COAST WATER DISTRICT

Page 1 of 11

Vulnerability Assessment, Cybersecurity Audit, and Penetra�on

Tes�ng Services RFQ Dra� – Revised 08/07/2025

II. Scope of Work

The awarded vendor will perform a comprehensive cybersecurity engagement consis�ng of:

A. Vulnerability Assessment

• External and internal network vulnerability scans.

• Iden�ﬁca�on and priori�za�on of security gaps across IT, OT, and SCADA-adjacent systems.

• Veriﬁca�on of patch levels, misconﬁgura�ons, and exposure points.

B. Cybersecurity Audit

• Review of MCWD security policies, procedures, and technical controls against NIST CSF or

equivalent framework.

• Audit of access controls, network segmenta�on, backup integrity, and incident response

readiness.

• Assessment of vendor risk management processes.

C. Penetra�on Tes�ng

• Controlled simula�on of real-world cyberatacks on agreed-upon systems and applica�ons.

• Tes�ng of perimeter defenses, web applica�ons, VPN endpoints, and remote access

solu�ons.

• Social engineering tests (phishing, pretex�ng) where authorized.

D. Deliverables

• Ini�al project plan with deﬁned rules of engagement.

• Interim ﬁndings for cri�cal/high-risk vulnerabili�es.

• Final report including:

o Execu�ve summary for leadership.

o Detailed technical ﬁndings with severity ra�ngs.

o Recommenda�ons with remedia�on roadmap.

E. Conﬁden�ality and NDA Requirement

Vendor shall execute MCWD’s standard Non-Disclosure Agreement (see Appendix B) prior to

receiving any non-public informa�on or accessing MCWD facili�es, systems, or data. Vendor will

ensure that all personnel and subcontractors who may access such informa�on also execute and are

bound by the NDA. The NDA will govern the handling, use, disclosure, and protec�on of MCWD

informa�on, including test results, reports, and ﬁndings.

MARINA COAST WATER DISTRICT

Page 2 of 11

Vulnerability Assessment, Cybersecurity Audit, and Penetra�on

Tes�ng Services RFQ Dra� – Revised 08/07/2025

Vendor shall use MCWD informa�on only for performance of the work, shall not disclose it to third

par�es without MCWD’s prior writen consent, and shall return or securely destroy all copies at the

end of the engagement and cer�fy destruc�on upon request. Obliga�ons survive comple�on or

termina�on of the contract, and for trade secrets they survive indeﬁnitely. Any breach of

conﬁden�ality is a material breach and may en�tle MCWD to injunc�ve relief in addi�on to other

remedies. Vendor shall not use MCWD’s name, logo, or engagement details in marke�ng or

publica�ons without MCWD’s prior writen consent.

F. Timeline

Project kickoﬀ within two (2) weeks of contract execu�on; comple�on of all ac�vi�es and ﬁnal

repor�ng within 60 calendar days unless otherwise approved by MCWD in wri�ng.

III. Quote Requirements

A. Cover Leter – Vendor intro, scope commitment, compliance acknowledgment, signature.

B. Company Proﬁle – Legal info, relevant experience (especially public u�li�es/SCADA), key

personnel bios, subcontractor details.

C. Technical Proposal – Assessment methodology, tools, frameworks, penetra�on tes�ng approach,

rules of engagement, repor�ng formats.

D. Cost Proposal – Fixed price preferred, itemized breakdown (assessment, tes�ng, repor�ng), total

within federally approved grant alloca�on.

E. Federal and Grant Compliance Documenta�on –

• Proof of Non-Suspension/Debarment: Writen cer�ﬁca�on and/or oﬃcial documenta�on

showing vendor is not suspended, debarred, or otherwise ineligible to receive federal funds,

per 2 CFR § 200.214 and 2 CFR Part 180. Must be provided before award; burden of proof is

on the vendor.

• Payment & Reimbursement: MCWD will pay the vendor directly and seek reimbursement

from Cal OES under the SLCGP grant.

• Cer�ﬁca�on of compliance with 2 CFR Part 200 and agreement to required federal contract

clauses.

• Statement acknowledging procurement records may be subject to audit or disclosure.

• References – At least two from similar public sector cybersecurity engagements.

• Addi�onal Materials (Op�onal) – Sample reports, methodologies, case studies, cer�ﬁca�ons

(OSCP, CISSP, CEH).

F. Acknowledgment and Acceptance of District’s Professional Services Agreement terms.

MARINA COAST WATER DISTRICT

Page 3 of 11

Vulnerability Assessment, Cybersecurity Audit, and Penetra�on

Tes�ng Services RFQ Dra� – Revised 08/07/2025

IV. Evalua�on Criteria

Quotes will be evaluated on a best value to the District basis, per 2 CFR 200.320. MCWD will

consider technical merit, relevant experience, compliance, and cost. Weighted criteria:

1. Responsiveness to Scope – 30%

2. Vendor Qualiﬁca�ons – 25%

3. Cost Reasonableness – 20%

4. Timeline/Flexibility – 15%

5. Federal Compliance – 10%

V. Submission Instruc�ons

• Deadline: 12/15/2025, 5:00 PM PT

• Method: Single consolidated PDF emailed to tespero@mcwd.org

• Op�onal vendor ques�ons: 12/1/2025 deadline; responses shared with all interested par�es

• Quotes valid for 90 days from deadline

VI. Compliance Requirements

• Suspension and Debarment: Vendors must provide proof they are not suspended, debarred,

or otherwise ineligible for federal funds prior to award.

• Recordkeeping: Retain records for 3 years a�er payment, available for audit.

• Domes�c Preference: Preference for U.S.-produced goods/services where applicable.

• Federal Clauses: Equal Employment Opportunity, Termina�on, Byrd An�-Lobbying,

Prohibi�on on certain telecom/video equipment, Audit/Access to Records.

VII. Funding

A. Funding and Payment

• Funded by SLCGP; MCWD pays vendor directly and seeks Cal OES reimbursement a�er

comple�on and grant documenta�on.

• Vendors must accommodate this payment arrangement.

• MCWD will withhold ﬁve percent (5%) of the total contract value. Reten�on will be released

within thirty (30) days a�er MCWD issues writen ﬁnal acceptance of all deliverables and

receives the ﬁnal report. Reten�on is not a cap on MCWD’s rights, is not subject to interest,

and does not replace any warranty, indemnity, or other contractual obliga�ons.

B. Cost Parameters

MARINA COAST WATER DISTRICT

Page 4 of 11

Vulnerability Assessment, Cybersecurity Audit, and Penetra�on

Tes�ng Services RFQ Dra� – Revised 08/07/2025

• Vendors should propose the most cost-eﬀec�ve solu�on that meets the Scope of Work and

compliance requirements.

• All costs must comply with 2 CFR Part 200 Subpart E.

C. Cost Inclusions

• Assessment planning, scanning tools, tes�ng labor, repor�ng, remedia�on consulta�on,

project management, travel (if applicable), taxes, and allowable indirect costs.

D. Pricing Structure

• Fixed-price proposals preferred; itemized breakdown required.

VIII. An�cipated Timeline

Milestone

Descrip�on

Target Date

RFQ Release

MCWD issues the RFQ.

11/18/2025

Vendor Ques�ons Deadline

Deadline for writen ques�ons.

12/1/2025

MCWD Responses

Responses to all vendor ques�ons. 12/8/2025

Quote Submission Deadline

Deadline per Sec�on V.

12/15/2025 @ 5

p.m. (Paciﬁc)

Ini�al Compliance Review

Completeness and eligibility review. 12/22/2025

Evalua�on and Scoring

Scoring per Sec�on IV.

12/22/2025-

12/26/2025

Proof of Non-

Suspension/Debarment

Submission

Required from top-ranked vendor

prior to award.

12/29/2025-

1/2/2026

No�ce of Intent to Award

Issued a�er proof veriﬁca�on.

1/5/2025

Contract Execu�on

Includes all federal provisions.

2 weeks a�er

contract signing

Project Kickoﬀ

Onboarding, scheduling, rules of

engagement.

2 weeks a�er

contract signing

Field Work

Vulnerability assessment, audit, and Within 60 days of

penetra�on tes�ng ac�vi�es.

execu�on

Final Repor�ng

Findings and recommenda�ons

delivered.

Within 60 days of

scope execu�on

MARINA COAST WATER DISTRICT

Page 5 of 11

This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.