IT Security Audit RFP 2025
| Location: | Colorado |
|---|---|
| Posted: | Nov 18, 2025 |
| Due: | Dec 16, 2025 |
| Agency: | City of Durango |
| Type of Government: | State & Local |
| Category: |
|
| Publication URL: | To access bid details, please log in. |
Attachment Preview
REQUEST FOR PROPOSALS
IT Security Audit
ISSUE DATE: November 7, 2025.
Information Technology Department
949 East 2nd Avenue
Durango, CO 81301
(970) 375-4994
www.DurangoCO.gov
REQUEST FOR PROPOSALS
The City of Durango, Colorado, by and through its Purchasing Administrator, is accepting proposals
from qualified firms for an IT Security Audit in accordance with the terms, conditions, and
specifications contained in these documents.
Bidders wishing to participate should ensure they have all addenda prior to submission of the bid.
Failure to acknowledge receipt of any addenda applicable to this project could result in the rejection
of your bid.
This request for information and any subsequent addenda will be posted to the Rocky Mountain E-
Purchasing System website (www.bidnetdirect.com/colorado), then click on Vendor Login or Vendor
Registration if you have not already registered. Firms are encouraged to register with RMEPS for all
City bid opportunities.
Questions: All questions must be submitted via the Rocky Mountain E-Purchasing System website:
(www.bidnetdirect.com/colorado).
Question Deadline: November 20, 2025. (Local Time): 3:00 p.m. (MDT)
Questions received after the deadline may not be accepted.
Responses to Questions: December 4, 2025. (Local Time): 3:00 p.m. (MDT)
Submittal Instructions: Submittal requirements are outlined in Section III of this RFP.
Project Title: IT Security Audit
Bid Due Date and Time: December 16, 2025. (Local Time): 3:00 p.m. (MDT)
Deliver Proposals via: Rocky Mountain E-Purchasing Systems, www.bidnetdirect.com/colorado.
It is the sole responsibility of the respondent to see that the proposal is received before the
submission deadline. Late proposals will not be considered.
All proposals submitted shall be binding upon the respondent if accepted by the City within sixty (60)
calendar days of the submission date. Negligence on the part of the respondent in preparing the
proposal does not confer a right of withdrawal after the time fixed for the submission of the proposal.
This project is being bid in accordance with the City of Durango Purchasing Policy.
Bob Grogan, Jr.
Purchasing Manager
Advertised: November 7 & 12, 2025.
949 E. 2nd Avenue, Durango, CO 81301
I. INVITATION AND BACKGROUND
A. General Information and Scope of Work
The City of Durango invites all interested, qualified consultants capable of providing an IT
Security audit.
The purpose of this RFP is to:
• Identify vendors with expertise to perform an extensive IT security audit.
• Understand the methodologies and tools used by vendors to conduct security
audits.
• Gather information on the scope, timeline, and estimated costs associated with the
audit.
• Assess the capabilities of vendors in identifying and mitigating security
vulnerabilities.
Additionally, the selected vendor will be expected to:
• Conduct a thorough assessment of the City of Durango's IT cybersecurity
landscape, including the following systems and areas:
o External vulnerability scan penetration testing against a /24 public IP space
o Internal vulnerability scan/penetration testing with assumed-breach
scenario (e.g., stolen laptop with VPN access) against /21 IP space, as well
as IP addresses shared with Sister Government Agencies. Need to
coordinate with Sister IT to avoid possibly violating intergovernmental
agreements.
o Public Wi-Fi security analysis
o Other specific items?
• Evaluate the effectiveness of current security measures and policies for assuring
compliance with CJIS, CORA, and NIST.
• Identify potential security vulnerabilities and provide recommendations for
mitigation.
• Perform non-disruptive penetration testing and vulnerability assessments during a
planned outage window coordinated with external agencies.
• Provide a remediation plan that demonstrates findings, risks, and suggested
improvements.
• Provide a report on what was tested and what was not tested.
• Have at least 5 years of experience performing similar vulnerability assessments for
organizations with similar complexity and compliance requirements. Also hold the
following certifications OSCP/OSCE.
B. City Background
City of Durango Cyber Security Profile:
• Cyber security team with two dedicated analysts
• Endpoint protection deployed on all endpoints and servers.
• Ongoing required cyber training for all users with simulated phishing exercises
• Internal vulnerability scanning across multiple business VLANS.
• HA Firewalls on the edge of the environment, monitoring north / south traffic.
• Internal firewalls segmenting the business network from SCADA operations, monitoring
east / west traffic.
• VPN solutions deployed on both hardware and software solutions
• SaaS and private cloud applications with SSO deployed with MFA.
• Private cloud is hosted within redundant data centers
• Cyber-security policy library\
• Full-service city with airport, water treatment, police, fire, inter-agency cooperation with
other local governments, etc.
C. Requirements
The selected vendor will conduct the security audit in two distinct phases:
1. External Assessment
Perform external vulnerability scanning, penetration testing, and risk assessment across
xx public IP addresses.
2. Internal Assessment
Conduct internal vulnerability scanning, penetration testing, and risk assessment across
both/a/24 and two/21/21 internal network segments.
The awarded vendor will be provided with VPN access and an organizational user
account to facilitate this portion of the engagement.
The following features should be highlighted by the contractor’s proposal.
• Overview of the company, including history and areas of expertise, as well as similar
projects completed in the past
• Detailed description of the proposed audit methodology.
• Examples of previous IT security audits performed, including outcomes and client
references, as well as redacted results of previous assessments.
• Proposed timeline for completing the audit.
• Estimated cost for the audit.
D.
General Information
1. Time is of the essence, and any submittals received after the announced time and date
will be rejected. It is the sole responsibility of the Respondent to ensure that their RFI is
received by electronic submission at www.bidnetdirect.com/colorado by the due date and
time.
2. Nothing herein is intended to exclude any responsible firm or in any way restrain or
restrict competition. On the contrary, all responsible firms are encouraged to submit a
response. The City reserves the right to reject any or all submittals.
3. Identify the firm’s name, location of office(s), and website.
▪ Provide a brief description of your firm, including how long your firm has been in business.
▪ List the primary contact, with name, address, phone number, and email information. Identify other
key individuals (name and position).
▪ Provide the names and telephone numbers of at least three (3) client references of similar scope
with a brief description
II. PROPOSED SCHEDULE
PROPOSED SCHEDULE
Project’s 1st Publication
Project’s 2nd Publication
Contractor Questions Due
Final Addendum Issued by Purchasing
Proposals Due
Interviews if necessary
Notice of Award
Notice to Proceed
November 7, 2025.
November 12, 2025.
November 20, 2025. 3:00 PM Local Time
December 4, 2025. 3:00 PM Local Time
December 16, 2025. 3:00 PM Local Time
January TBD, 2026.
Estimated week of February TBD, 2026.
Estimated week of February TBD, 2026.
III. INSTRUCTIONS TO PROPOSERS
A. General
1. Submit Bids electronically via www.bidnetdirect.com/colorado prior to deadline. Please
submit all your required documents in a single PDF file in the bidder’s company name.
Late proposals will not be accepted.
2. All Bids must be a maximum of 30 pages in a minimum 12-point font. All pages with words
count towards the page limit.
3. Retain one copy for your records.
4. Successful Contractor must have or obtain a current City Business License upon award of
the contract.
5. Successful Contractor must complete a W-9 form (Taxpayer Identification No.) upon award.
6. The City of Durango is exempt from all local, state, and federal taxes.
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.