Professional Documents
Culture Documents
RFP - GTID-01-2024 - Security Operations (SecOps)
RFP - GTID-01-2024 - Security Operations (SecOps)
RFP - GTID-01-2024 - Security Operations (SecOps)
1. Summary
The contents of this Request for Proposal (RFP) as well as any subsequent communications between
Chemonics International Inc. (Chemonics) and the prospective vendor are to be treated as confidential and
are not to be distributed or shared without prior written authorization from Chemonics’ authorized
representatives.
Chemonics is currently seeking vendors capable of assisting the company in the implementation of a
Security Operations (SecOps) module within the ServiceNow platform. The objective is to incorporate key
functionalities including Vulnerability Management, Security Incident Response, and Governance, Risk,
and Compliance (GRC) capabilities. Additionally, vendors should be able to help with Configuration
Management Database (CMDB) setup and integration. Interested vendors must possess expertise in
ServiceNow implementation, particularly in the realm of security operations. We look forward to receiving
proposals that demonstrate a comprehensive understanding of our requirements and a proven track record
of successful implementations in similar contexts.
The issuing of Chemonics’ RFP is the commencement of a multistage tender process to enter a contractual
relationship with a partner for the provision of SecOps, and GRC module
Chemonics reserves the right, at its absolute discretion, to adopt any procurement strategy following the
evaluation of RFP responses, including (without limitation):
Stage 1
This RFP seeks to elicit information from potential vendors on the availability and suitability of their
capabilities to meet Chemonics’ strategic needs and aspirations. The provided responses will be used to
determine:
• Capacity and capability of vendors to deliver Chemonics’ strategic needs and aspirations.
• Indicative timeframes, methodology and approach to delivery as encapsulated in the three
scopes.
• Indicative expertise and costs as encapsulated in the three scopes.
The second stage will involve the shortlisting of not only potential vendors that demonstrate the capability
to meet Chemonics’ business needs and strategic aspirations through structured, yet innovative solutions,
but also those suppliers that align and fit culturally with Chemonics’ values and, in so doing so, can establish
a long-term and successful partnership with Chemonics.
Chemonics will undertake a due diligence exercise in which we will look to validate RFP responses through
internal reviews, interviews, reference checks, etc. We will also provide the shortlisted suppliers with an
opportunity to showcase their capability through a presentation of their approach (or range of approaches)
to meet our needs and aspirations.
Stage 3
The third stage, should Chemonics decide to proceed with an offeror’s proposal, will involve an "offer"
phase, where Chemonics will start contract negotiations with the shortlisted vendor for the provision of
services.
Stage 4
3. Company Background
Chemonics was founded in 1975. It is an employee-owned international development consulting company
that helps governments, businesses, civil society groups, and communities promote meaningful change so
people can live healthier, more productive, and more independent lives. Working under contract to the U.S.
Agency for International Development (USAID) and other foreign aid donors, we deliver projects in the
areas of financial services, private sector development, health, environmental management, gender, crisis
prevention and recovery, democracy and governance, agriculture, and pharmaceutical supply chain. Our
main offices are based in Washington, D.C. and London and operate in more than 68 countries.
Since 2019, Chemonics has been utilizing ServiceNow to address IT Service Management (ITSM)
requirements. Our ongoing commitment to optimizing operational efficiency and enhancing security
protocols has led to the recognition of the need for a dedicated Security Operations (SecOps) module within
our ServiceNow platform. The addition of this module will further bolster our ability to proactively monitor,
detect, and respond to security incidents, ensuring the continued protection of our systems and data assets.
Below are the products Chemonics has:
The proposal should include a phased approach of implementing the below 3 modules separate from
each other but considering all dependencies between them. Please provide budget and timelines for
each module separately.
Finding of current systems and processes related to vulnerability management focused on (but
not limited to):
• Automated workflows for vulnerability identification, assessment, and remediation.
• Prioritization and categorization of vulnerabilities based on severity.
• Integration with vulnerability scanning tools and platforms.
• Reporting and analytics capabilities to track and monitor vulnerabilities over time.
• Compliance with industry standards and regulations related to vulnerability management.
Deliverables:
• Finding and recommendations document
• Baseline requirements document with room for changes during implementation
• Implementation plan with budget and detailed timelines
• Implementation of the above requirements in ServiceNow
• Hypercare & Support
Discovery of current governance, risk, and compliance processes focused on (but not limited to)
Deliverables:
• Finding and recommendations document
• Baseline requirements document with room for changes during implementation
• Implementation plan with budget and detailed timelines
• Implementation of the above requirements in ServiceNow
• Hypercare & Support
Finding of current systems and processes related to security incident management focused on
(but not limited to):
Deliverables:
• Finding and recommendations document
• Baseline requirements document with room for changes during implementation
• Implementation plan with budget and detailed timelines
• Implementation of the above requirements in ServiceNow
• Hypercare & Support
Sections I-III of the proposal should not exceed 20 pages in total. The budget and NDA do not count against
this page limit. Images of different solutions that highlight past performance and institutional capacity do
not count against this page limit.
The approach must demonstrate a systematic and phased implementation strategy tailored to address
Chemonics’s priorities and requirements. Offers should provide a phased implementation strategy with 1)
the deployment of the Vulnerability Management module, followed by 2) the implementation of Governance,
Risk, and Compliance functionalities within the ServiceNow platform with 3) the integration of Security
Incident Management capabilities, and culminating.
Offerors should demonstrate for each phase meticulous assessment, design, configuration, testing, and
training activities, ensuring alignment with industry best practices and regulatory standards. The goal is to
deliver a comprehensive solution that enhances our organization's security posture, incident response
capabilities, and compliance management processes, while maximizing operational efficiency and
effectiveness.
• ServiceNow SecOps Certifications: The architects and developers for this project should hold
various certifications related to ServiceNow SecOps, ensuring a robust understanding of the
platform and its security management capabilities. It's important to note that most partners possess
these certifications.
• Education Requirement: A bachelor's degree is considered a prerequisite for this role. This
ensures a solid educational foundation for the potential candidates.
Please provide three to five examples of related services provided by your company to companies that
are of a similar size to Chemonics. (No more than 5 pages)
IV. Budget
Please provide a detailed budget outlining your firm’s proposed cost for completing each scope of work
listed above. Budgets must provide a detailed breakdown of costs by phase. Offerors must also explain
in the budget the basis of the costs such as individual labor rates and material costs as well as any
markups or fees which are be applied. While Chemonics may prioritize other aspects of your proposal
over cost, we will evaluate all cost proposals for realism and reasonableness.
The following is a tentative schedule that will apply to this RFP but may change in accordance with
Chemonics’ needs or unforeseen circumstances. Changes will be communicated by email to all invited
vendors.
In responding to this RFP, the Offeror accepts full responsibility to understand the RFP in its entirety and
in detail, including making any inquiries to Chemonics as necessary to gain such understanding.
Chemonics has absolute discretion to determine whether any Offeror has demonstrated such
understanding. That right extends to canceling or excluding an offer from further consideration. Such
disqualification and/or cancellation shall be at no fault, cost or liability whatsoever to Chemonics.
Vendor proposals that do not contain sufficient information to permit proper evaluation to be conducted or
contain electronic responses that cannot be effectively evaluated because the file has become corrupt,
may be excluded from the evaluation process without further consideration.
The information provided by Chemonics in this RFP is offered in good faith. Individual items are subject to
change at any time. Chemonics makes no certification that any item is without error. Chemonics is not
responsible or liable for any use of the information or for any claims asserted therefrom.
5.3 Communication
Written communication regarding this RFP shall be via email exchange with Bhuvan Vemuri
bvemuri@chemonics.com and IT Operation at GTI-operations@chemonics.com and shall contain GTID-
01-2024 as the subject line. Verbal communication shall not be effective unless formally confirmed in writing
by IT Operations. In no case shall verbal communication prevail over written communication.
5.3.2 Addenda
Chemonics will, in good faith, make every effort to provide a written response to each question or request
for clarification that requires addenda within five business days from the due date of the RFP questions.
All appropriately deemed questions and answers will be captured in an addendum that Chemonics will
share with all respondents. Chemonics will not respond to any questions or requests for clarification that
require addenda if received by Chemonics after the questions due date has passed.
In Addendum 1 of this document, Non-Disclosure Agreements (NDAs) must be signed and returned by the
due date of 06/20/2024 as noted in 5.1 by the offerors to confide and prevent from disclosing any
confidential information during presentation and or other discussions. Please be aware that modifications
to the Non-Disclosure Agreement (NDA) will not be accepted. Please ensure that you return the
signed NDA without any revisions.
• Sections I-III, referenced under section 4.2 above, must be in PDF. Section IV (Budget)
should be submitted in PDF and Excel. Sections I-IV and any past performance image
attachments should be submitted via one email.
• Electronically submitted proposals may become corrupt or incomplete — for example, by
computer viruses. Chemonics may decline to consider a proposal that cannot be effectively
evaluated because it is incomplete or corrupt. Note that:
o To reduce the likelihood of viruses, offeror must not include any macros, applets, or
executable code or files in its response.
After the RFP closing date, all proposals submitted are kept in a secured Chemonics tender folder.
It is the responsibility of the respondent to ensure that its proposal has been received within the time frame
outlined in this RFP. To ensure fair and equal treatment of all vendors, proposals that are received late or
are incomplete may not be evaluated.
Chemonics will not penalize any respondent whose proposal/response is received late if the delay is due
solely to mishandling by Chemonics. Acceptance or nonacceptance of a late proposal for evaluation will be
at the sole discretion of Chemonics. The evaluation team will ensure that the integrity and competitiveness
of the evaluation process is not compromised when making a decision in this regard.
All information submitted in response to the RFP shall become the property of the Chemonics. All such
material shall be treated as "Commercial in Confidence" and will only be disclosed for the purposes of
evaluation, or as required by law or government policy. Chemonics may make copies of the responses for
any purpose related to the evaluation of the RFP.
5.8 Extensions
The RFP invitation period is set to provide sufficient time for suppliers to consider and respond to
Chemonics's requirements. Extensions will not occur unless there are exceptional circumstances.
Determination of requests for extension by suppliers will take account of both the particular circumstances
and timeliness of the request.
At any time before Chemonics decides on an appropriate procurement strategy (including, but not limited
to, the shortlisting of RFP respondents for the purpose of commercial negotiations), a vendor may vary its
proposal:
Vendors are advised to review the Summary and participate in the bidder’s conference to view
Chemonics current Security Operations (SecOps).
Information supplied by the respondent in the proposal will be assessed against the internally weighted
priority that Chemonics has assigned to each selection criterion.
During the evaluation phase, a respondent may be contacted by an officer of the evaluation committee to
clarify details of its proposal.
5.13 Outcomes
The outcome of the proposals assessment stage, based on agreed evaluation criteria, will be submitted
to Chemonics' Chief Information Officer. Chemonics is not bound to enter into a contracting arrangement
with any respondent. Following the Chief Information Officer’s decision, all respondents are notified in
writing of the outcome of their proposals.
Chemonics reserves the right to discontinue the procurement process at any point without making a
determination regarding the invitation of expressions of interest from one or more respondents.
Chemonics will not be liable for any losses suffered by a respondent as a result of discontinuance of the
procurement process, including the costs of responding.
A nondisclosure agreement (NDA) will be issued as per the schedule outlined in Section 5.1.
No potential respondent shall disclose any information relating to this RFP process or the required
services via any media release or any other publication without the prior written consent of Chemonics.
Chemonics has no objection to the potential registrant copying the RFP document for internal working
purposes to prepare a response.
Chemonics is not committed contractually in any way to those individuals, partnerships or organizations
whose responses are accepted. The issue of this RFP invitation does not commit or otherwise oblige
Chemonics to proceed with any part or steps of the process.
Although the information contained in this RFP invitation has been formulated with all due care,
Chemonics does not warrant or represent that the information is free from errors or omissions. The
information is made available on the understanding that Chemonics, and its respective staff and agents,
shall have no liability (including liability by reason of negligence) for any loss, damage, cost or expense
incurred or arising by reason of any person using or relying on the information, and whether caused by
reason of any error, omission or misrepresentation in the information or otherwise.
Furthermore, Chemonics takes no responsibility for the accuracy, currency, reliability and correctness of
any information included in this RFP.
No respondent shall be deemed to have been shortlisted until the respondent has been notified of such
by Chemonics in writing.
Respondents should note that the responses provided as part of this RFP process will, if successful in
their application, form the foundation of any subsequent contract, which will not necessarily supersede
the respondents' response provided.
Chemonics requests that the following clauses be added to any contractual agreement:
Except as authorized by the Department of Treasury’s Office of Foreign Assets Control (OFAC), the
Contractor shall not acquire for its use in the performance of this subcontract, any supplies or services if
any proclamation, U.S. Executive Order, U.S. statute, or OFAC’s implementing regulations (31 CFR
Chapter V), would prohibit such a transaction by a U.S. person, as defined by law.
(Except as authorized by OFAC, most transactions involving Cuba, Iran, the Sudan, Burma and North
Korea are prohibited, including importing/exporting to/from the United States, engaging in financial
transactions, or facilitating any prohibited transactions by third parties. Lists of entities and individuals
subject to economic sanctions – which are updated routinely - are included in OFAC’s List of Specially
Designated Nationals and Blocked Persons at http://www.treas.gov/offices/enforcement/ofac/sdn. It is the
Contractor’s responsibility to remain informed as to sanctioned parties and to ensure compliance with all
relevant U.S. sanctions and trade restrictions. More information about these restrictions, as well as
updates, is available in the OFAC’s regulations at 31 CFR Chapter V and/or on OFAC’s website at
http://www.treas.gov/offices/enforcement/ofac.
INTELLECTUAL PROPERTY
Contractor warrants that the Work performed or delivered under this Subcontract will not infringe or
otherwise violate the intellectual property rights of any third party in the United States or any foreign
country. Except to the extent that the U.S. Government assumes liability therefor, Contractor shall defend,
indemnify, and hold harmless Chemonics and its clients from and against any claims, damages, losses,
costs, and expenses, including reasonable attorneys’ fees, arising out of any action by a third party that is
based upon a claim that the Work performed or delivered under this Subcontract infringes or otherwise
violates the intellectual property rights of any person or entity. This indemnity and hold harmless shall not
In addition to any other allocation of rights in data and inventions set forth in this agreement, Contractor
agrees that Chemonics, in the performance of its prime or higher tier contract obligations (including
obligations of follow-on contracts or contracts for subsequent phases of the same program), shall have
under this agreement an unlimited, irrevocable, paid-up, royalty-free right to make, have made, sell, offer
for sale, use, execute, reproduce, display, perform, distribute (internally or externally) copies of, and
prepare derivative works, and authorize others to do any, some or all of the foregoing, any and all,
inventions, discoveries, improvements, mask works and patents as well as any and all data, copyrights,
reports, and works of authorship, conceived, developed, generated or delivered in performance of this
Contract.
The tangible medium storing all reports, memoranda or other materials in written form including machine
readable form, prepared by Contractor, and furnished to Chemonics pursuant to this Subcontract shall
become the sole property of Chemonics.
INDEMNITY
The Contractor shall defend, indemnify, and hold harmless Chemonics from any loss, damage, liability,
claims, demands, suits, or judgments (“Claims”) including any reasonable attorney’s fees, and costs, as a
result of any damage or injury to Chemonics or its employees, directors, officers, or agents, or properties,
or for any injury to third persons (including, but not limited to Claims by Contractor’s employees, directors,
officers or agents) or their property which is directly or indirectly caused by the negligence, willful
misconduct, breach of this Subcontract, or violation of statutory duties of Contractor, or its employees,
officers, directors, or agents, arising out of or in connection with the performance of this Subcontract
unless such Claim is caused by, or resulting from, a material breach of this Subcontract by Chemonics.
PAYMENT TERMS
Chemonics will pay the Contractor 30 days after the completion of the outlined work and submission of an
invoice.
NON-DISCLOSURE AGREEMENT
CHEMONICS INTERNATIONAL INC
1275 New Jersey Avenue SE.
Washington, D.C. 20003
And
This Agreement made and effective as of (enter current date ), by and between Chemonics
International Inc. (hereinafter called “Chemonics” or “CI”) with its primary place of business at 1275 New
Jersey Avenue SE, Washington, D.C. 20003, USA and Offeror with its primary place of business at,
, individually referred to as “Offeror” and collectively as ”the
Offerors”.
WITNESSETH THAT:
WHEREAS, Chemonics agrees to furnish Offeror/Offerors confidential information, and Offeror/Offerors
agrees to furnish Chemonics certain confidential information relating to its servicing of Chemonics’ real
estate portfolio.
WHEREAS, “confidential information” means any data or information that is identified as proprietary or
confidential by the disclosing Party and not generally known to the public, whether in tangible or intangible
form, whenever and however disclosed, including, but not limited to: (i) any teaming and/or marketing
strategies, technical approaches, designs and plans, financial information, cost structures, projections,
operations, cost estimates, business plans and performance results relating to the past, present or future
business activities of such party, its affiliates, subsidiaries and affiliated companies; (ii) plans for products
or services, and customer or supplier lists; (iii) intellectual property and any scientific or technical
information, invention, design, process, procedure, formula, improvement, technology or method; (iv) any
concepts, reports, data, know-how, works-in-progress, tools, templates, databases, designs, development
tools, specifications, computer software, source code, object code, flow charts, databases, inventions,
information and trade secrets; and (v) any other information that should reasonably be recognized as
confidential information of the Disclosing Party. Confidential information need not be novel, unique,
patentable, copyrightable or constitute a trade secret to be designated confidential information. The
Receiving Party acknowledges that the confidential information is proprietary to the Disclosing Party, has
been developed and obtained through great efforts by the Disclosing Party and that Disclosing Party
regards all of its confidential information as trade secrets.
NOW, THEREFORE, in consideration of these premises, and in express reliance upon the mutual promises
and covenants contained herein, Chemonics and Offeror/Offerors agree as follows:
1. All confidential information provided to Offeror/Offerors Chemonics that may be obtained in
connection with Offeror/Offeror’s’ assistance and cooperating with CI shall remain the property of and
be deemed confidential to Chemonics. Offeror/Offerors agrees to accept such confidential information
in confidence, to accord it the protection required by this Agreement and such additional protection
as Offeror/Offerors customarily accords to its own confidential information, to hold such confidential
information in trust for Chemonics, and to use such confidential information solely and exclusively in
accordance with the purpose described above in this Agreement, provided, however, that
Offeror/Offerors, in the capacity as the receiving Party shall not be liable for disclosure or use of
confidential information if the same:
a. was properly in the public domain at the time it was disclosed,
This Agreement and each Party's obligations shall be binding on the representatives, assigns and
successors of such party. Each Party has signed this Agreement through its authorized representative.
_________________________________ ___________________________________
Printed Name and Title of Offeror’s Authorized
Representative
_________________________________ ______________________________________
DATE DATE