City of Norcross
Information Technology Department
REQUEST FOR PROPOSALS
CYBERSECURITY ASSESSMENT, COMPLIANCE,
& GOVERNANCE SERVICES
RFP 26-10
1
City of Norcross
Information Technology Department
REQUEST FOR PROPOSALS
CYBERSECURITY ASSESSMENT, COMPLIANCE, & GOVERNANCE
SERVICES
RFP IT 26-10
The City of Norcross Information Technology Department is seeking competitive
proposals from qualified cybersecurity consulting firms to assess our current security posture,
develop a comprehensive security and compliance framework, and deliver tailored training to
our personnel. The ideal partner will help us establish a sustainable, self-sufficient cybersecurity
governance structure.
The proposal package should be clearly marked “RFP IT 26-10– CYBERSECURITY ASSESSMENT,
COMPLIANCE, & GOVERNANCE SERVICES” on its face and submitted by 10:00 a.m. (EST) on
July 7, 2026, to the address below. Please submit two printed copies and one electronic copy
(USB) of your RFP package to:
Charlene Marsh
Procurement & Capital Projects Manager
City of Norcross Public Works Department
345 Lively Avenue
Norcross, GA 30071
Both printed and electronic copies must contain the same information. Return address must be
clearly marked on the outside of the proposal packet.
There will be an optional pre-proposal meeting for this solicitation on June 26, 2026, at 10:00
a.m. at Norcross City Hall (65 Lawrenceville Street Norcross, GA 30071).
Please submit questions/requests via e-mail only to procurement@norcrossga.net by 5:00
p.m. (EST) on June 29, 2026. Questions and answers will be posted in an addendum on the
City Website.
No proposal will be received or accepted after the above specified date and time.
Submissions received after the designated date and time will be deemed invalid and
returned unopened to the firm.
No proposal may be withdrawn within thirty (30) days after the proposal deadline. Requests
for withdrawals must be submitted in writing. All proposals shall remain firm for 90 days after
the submission deadline.
1. INTRODUCTION
The City of Norcross is seeking competitive proposals from qualified cybersecurity
consulting firms to assess our current security posture, develop a comprehensive
security and compliance framework, and deliver tailored training to our personnel. The
ideal partner will help us establish a sustainable, self-sufficient cybersecurity
governance structure. The project will ultimately result in the development of federally
compliant cybersecurity policy infrastructure designed for the City of Norcross
cybersecurity goals. Consultants’ proposals with verifiable grant-funded security
projects and experience in conjunction with NIST-aligned frameworks in local
municipalities will be given strong consideration. The selected consultant must align
itself with Georgia’s state cybersecurity plan, coordinated with the Georgia Technology
Authority (GTA) and State and Local Cybersecurity Grant Program (SLCGP) Objective 1.
2. BACKGROUND
The City of Norcross is home to over 19,000 residents. The city currently employs
approximately 150 full-time and part-time employees across 12 departments, including
E-911 Dispatch and Norcross Police. Norcross Power, the city’s utility company,
provides power to approximately 5,500 residential and commercial customers. The City
of Norcross Information Technology Department and Main Distribution Frame (MDF)
are housed in City Hall, connecting the multiple city buildings along with our co-location
via a distributed WAN environment.
3. PROJECT DESCRIPTION
This project will ultimately result in the development of federally compliant
cybersecurity policy infrastructure designed for the City of Norcross cybersecurity goals.
Consultants’ proposals with verifiable grant-funded security projects and experience in
conjunction with NIST-aligned frameworks in local municipalities will be given strong
consideration.
The selected consultant must align itself with Georgia’s state cybersecurity plan,
coordinated with the Georgia Technology Authority (GTA) and State and Local
Cybersecurity Grant Program (SLCGP) Objective 1.
The proposal must align the City of Norcross with the governance standardization that
incorporates CIS 18 Critical Controls and the NIST Risk Management and Cybersecurity
Frameworks.
The selected consultant must also perform the following tasks:
• Conduct a cybersecurity risk assessment across all City of Norcross departments.
• Develop a comprehensive cybersecurity plan in the identification, protection,
detection, response and recovery of data.
• Present a cybersecurity resiliency roadmap with incorporated deliverables and
milestones towards a security strategy that places prioritization on Norcross’s
objectives.
• Provide Norcross with increased and enhanced cybersecurity controls for
increased visibility and management while strengthening the city’s overall
security posture.
• Norcross’ primary goal is the establishment of an effective Zero Trust
infrastructure that will align with ever-changing threats to our municipality.
• Integrate and support the following cybersecurity elements including:
o Element 1 – Information Systems Management
o Element 2 – Network Monitoring
o Element 3 – Continuous Vulnerability Assessment
o Element 4 – Adoption of Best Security Practices
o Element 5 – Continuity of Operations
o Element 6 – Threat Indicator Sharing
o Element 7- Leverage of CISA services
o Element 8 – IT/OT Modernization
o Element 9 – Risk & Threat Strategy
4. SCOPE OF SERVICES
Phase 1: Risk Assessment & Gap Analysis
Deliverable: Risk and compliance assessment report
• Evaluate our existing cybersecurity policies, procedures, and controls.
• Assess our current compliance to ensure alignment with relevant frameworks such
as National Institute of Standards and Technology Cybersecurity Framework (NIST
CSF)/ Health Insurance Portability and Accountability Act (HIPAA)/ Criminal Justice
Information Services (CJIS)/ ISO 27001.
• Conduct analysis to identify deficiencies and potential exposure to the network and
databases based upon previous penetration test results provided by the City of
Norcross to the selected contractor upon signed Memorandum of Understanding
(MOU).
• Provide clear guidance and clarification regarding cloud-based platforms in
conjunction with necessary security frameworks.
Phase 2: Policy & Framework Development
Deliverable: Policy recommendations report
Develop comprehensive, tailored cybersecurity policies covering:
• Access control and identity management (including Multi-Factor Authentication).
• Data protection, privacy, and secure cryptographic storage (at rest and in transit).
• Incident Response (IR) and Business Continuity / Disaster Recovery (BC/DR)
planning.
• Vendor and third-party risk management
Phase 3: Training & Implementation Support
Deliverable: Training roadmap and framework mapping chart
• Deliver targeted cybersecurity awareness training for general end-users.
• Provide advanced operational training for IT staff.
• Train-the-Trainer Model: Establish an internal capability by equipping designated
personnel to deliver ongoing cybersecurity education within their respective
departments.
• Deliver an actionable roadmap and framework mapping chart ensuring clear linkage
between policy components and organizational goals
5. SCHEDULE OF EVENTS
Release of RFP
Optional Pre-Proposal Meeting
Deadline for Written Questions
Proposals Due
Proposal Evaluation
Contract Award
June 18, 2026
June 26, 2026 (10:00 a.m. EST)
June 29, 2026 (5:00 p.m. EST)
July 7, 2026 (10:00 a.m. EST)
July 2026
August 2026
6. RESTRICTIONS ON COMMUNICATIONS WITH STAFF
All questions about this RFP should be sent to procurement@norcrossga.net. Please
include the company name and the referenced RFP section in the following format:
Company Name
1. Question
Citation of relevant section of the RFP
2. Question
Citation of relevant section of the RFP
7. SUBMISSION GUIDELINES & INSTRUCTIONS
Firms must submit two paper copies and one USB copy of the proposal. A complete
submission includes the following components:
Cover letter/Executive summary
Proposals should include a cover letter introducing the financial
institution, indicating understanding of the scope of services requested,
and highlighting key aspects of the proposal. Provide an overview of the
firm’s operations, management, and customer service philosophies.
Background
• Firm name, address, telephone numbers, and email addresses
• Years in business under present name and names and dates for
previous names (if applicable)
• List of all parent or subsidiary companies
Qualifications
• Describe experience with providing requested services to
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.