Statement of Work (SOW) – MSA Security Assessment


Proprietary & Confidential Information

The enclosed materials are propriety to CoreRecon, LLC (“CoreRecon”). CoreRecon reserves all rights, titles, and interest in and to such materials. The terms, conditions, and information set forth herein are confidential to CoreRecon, and may not be disclosed in any manner to any person other than the addressee, together with its officers, employees, and agents who are directly responsible for evaluating the contents of these materials for the limited purpose intended. These materials may not be used in any manner other than for such limited purpose. Any unauthorized disclosure, use, reproduction, or transmission is expressly prohibited without the prior written consent of CoreRecon.




1.1.            Parties. This Contract is by and between CoreRecon, LLC (“CoreRecon” or “Provider”) and (“Customer” or “Vendor”) —  Collectively, CoreRecon and Customer or Vendor, shall be referred to as “the Parties.”


Security Assessment Services Project Description



CoreRecon is responsible for the overall approach to information security at the Vendor and the operational security aspects of its hosted systems and applications. CoreRecon oversees general vulnerability scans and periodic security assessments. Audits are conducted internally and by third parties to ensure regulatory requirements are met. CoreRecon is looking to assess the security posture of its applications and systems and this assessment should be based on the NIST 800-53 rev. 4 standards.  The overall objective of this assessment is to strengthen the cybersecurity posture of the Vendor by identifying and prioritizing those deficiencies that are key for the protection of the citizen’s data.



The purpose of this Statement of Work (SOW) is for CoreRecon to be able to quickly procure proactive cybersecurity services from leading commercial providers in order to better protect systems identified as Restricted and Highly Restricted and to meet requirements set forth by the National Institute of Standards and Technology (NIST). This SOW will assist in procuring proactive cybersecurity services.


CoreRecon shall perform an assessment to provide detailed analysis of: system and network vulnerabilities; gaps in IT security governance; assessment of patching methodologies; current network security capabilities and potential existing security incidents. The assessment and reporting will be based on the NIST 800-53 MODERATE security controls. 


The assessment will consist of external and internally accessible systems, hosts and applications with the Vendor’s environment and shall consider, at a minimum, all of the following to be within the scope of work:


1.      Identification of application, system, and network vulnerabilities and assessment of patching methodologies.

a.      The assessment will be limited to publicly accessible hosts residing in the Vendor network segments deemed to be part of the DMZ or Transaction Zones (TZ) that provide shared hosting environments. This includes underlying Network Management and Out of Band zones and segments that provide network communications and services to the publicly accessible hosts. The private addresses or servers will also be in scope, but access will be through other means.

b.      Network segments in scope for this assessment will be provided upon the assessment and will be listed in CIDR notation (x.x.x.x/1, y.y.y.y/2, z.z.z.z/3, etc.). Network segments will be identified as belonging to the LAN, WLAN, VPN NAT pool or publicly accessible hosts in the DMZ and TZ.

c.      Conduct vulnerability scanning and current patching methodology assessment for vendor’s hosts, and end points (desktops and laptops). Scans for servers must be completed outside of normal business hours, 6:00PM to 7:00AM. (or as directed by the vendor) Scan activity must be coordinated with the POC (Point of Contact) prior to it being initiated.

d.      Conduct security vulnerability testing for publicly accessible systems when initial vulnerability scanning identifies potential high impact vulnerabilities. CoreRecon and the Vendor together will select the systems for testing during the security assessment engagement.

e.      CoreRecon will provide an inventory of all applications, data storage devices and systems, and identification and authentication measures. (Only systems that are active in the network infrastructure)

f.        An inventory of all Vendor hardware and its operating systems and network management systems. (Only systems that are active in the network infrastructure)

2.      The existing network infrastructure and configuration, including all interconnectivity and supported protocols and network services that are currently offered during time of testing. 

3.      Gaps in IT security governance – Review and make recommendations on vendors incident management plan.

4.      Current vulnerabilities – Review current vulnerability and patching process. Specifics to be supplied to vendor at start of engagement. Make recommendations on best practices to better secure the state.

5.      Existing security systems and components, including antivirus, firewalls, and network monitoring. Vendor shall assess current network security capabilities and their ability to identify and potentially stop cyber-attacks, data loss, and misuse of IT resources. These network security resources include firewalls, Intrusion Prevention Systems, and end-point security applications.

Proposal Materials to be Submitted


At a minimum, CoreRecon’s Proposal shall include the following items in this specific order and clearly marked as such:

A.    A description of the approach to the assessment so the desired results can be achieved, including how they will run their on-site kick-off meeting which will be held in phone/video conference mutually agreed upon date between CoreRecon and the Vendor.

B.    Cost – This project requires a not to exceed bid amount of $4,000.00 to complete the assignment and the cost shall be all inclusive of travel expenses and other incidental costs associated with the project. Costs and expenses relating to the preparation of a proposal and its submission are to be borne solely by CoreRecon. This security assessment is anticipated to be a large assessment; therefore, the hourly rate shall not exceed the rates provided with the proposal.

Information Security Risk Assessment SOW Deliverables


CoreRecon shall conduct the tasks (document review, vulnerability scanning, testing, network packet analysis, network scanning, architecture reviews and other work as needed) to compile data required to provide a detailed security assessment report which provides the Vendor the requested information in the format noted below based on the project description and scope.


Network Mapping

The Network Mapping service activity consists of identifying assets on an agreed upon IP address space or network range(s). CoreRecon shall attempt to determine open ports and services, hosts, servers, and operating systems running on the network. Identified assets during the Network Mapping shall serve as the target and scope of a Network Vulnerability Scan Service.

Vulnerability Scan

The Vulnerability Scan service comprehensively identifies IT vulnerabilities associated with the Vendor’s systems that are potentially exploitable by attackers. The results shall provide the vendor with guidance on remediation steps to close any identified vulnerabilities and minimize a vendor’s attack footprint.

Phishing Assessment [Vendor’s Discretion]

The Phishing Assessment can include scanning, testing, or both and is part of the 1-week external/internal test. [0365 Microsoft Admin Portal Audit]

     Phishing Scan Audit – The Phishing Scan Audit service measures the susceptibility of a vendor’s personnel to social engineering attacks, specifically email spear-phishing attacks. The CoreRecon team shall generate During the Phishing Scan Audit, no malicious activity shall be conducted by CoreRecon as it is only a metrics gathering technique. The vendor shall ensure firewall rules are in place to accept replies which originate from the Vendor network ranges and that replies from non-Vendor networks are denied/dropped at the firewall. All testing activities are conducted from an offsite location agreed upon by the vendor and CoreRecon.

Wireless Assessment

The Wireless Assessment can include wireless access point (WAP) detection, vulnerability testing or both. Wireless Network Detection will occur during an onsite portion of the assessment. Engineers shall conduct a walkthrough of Vendor facilities to identify and evaluate IEEE 802.11 Wireless Access Points (WAPs) that exist within a Vendor’s physical office location(s) and work with POC to determine if any rogue access points are in use. Wireless vulnerability testing analyzes the current wireless infrastructure to identify weaknesses and attempt to exploit them to gain additional access to a vendor network. During the wireless vulnerability test, CoreRecon identifies WAPs and attempts to exploit and gain access to the network through those WAPs. Once access is gained to the wireless network, the team shall attempt to map out the network and discover vulnerabilities.

Operating System Security Assessment (OSSA)

The Operating System Security Assessment (OSSA) service assesses the configuration of select host operating systems (OS) against standardized configuration baselines such as Security Technical Implementation Guides (STIGS). The results identify deviations from NIST required baselines and recommended remediation steps to bring configurations into compliance. All assessment activities are conducted onsite/remotely at the Vendor’s main location. Administrator or root-level access will be required for this service.


CoreRecon shall provide a written report demonstrating the comprehensive review that was performed utilizing the following outline as a sample document construct:

1.      Executive Summary

2.      Assessment Methodology and Approach

3.      Detailed Reporting of:

a.      Identified gaps in information security governance through examination of existing Statewide policies and state statutes

b.      A Matrix of discovered vulnerabilities and recommended remediation or mitigation strategies

i.                   Details of the vulnerabilities by host or node risk ranked by criticality (high, medium, low)

1.      Detailed description

2.      Status of external exposure (i.e., publicly accessible)

3.      Verification of vulnerability

4.      Mitigation Recommendation

c.      Specific results of vulnerability testing on selected systems

d.      Identified gaps surrounding current patching strategies and tools

e.      Identified gaps in network security firewalls, IPS and monitoring capabilities and recommended strategies to identify

f.        Identified misconfigurations and potential breaches found through examination of network traffic

4.      Conclusion

a.      General summary of the findings by areas and by NIST 800-53 rev 4 security control (e.g., SI-2 and control descriptor)

b.      Overall summary of the security posture.

c.      Prioritization and recommended remediation plan with estimated costs to address overall assessment results

i.                   Short Term

ii.                 Long Term

5.      Appendices

a.      Screen captures, logs, and other supporting documentation

** Execution of Statement of Work:  By agreeing to this terms and conditions, the Vendor certifies that:

·         this SOW Response was signed by an authorized representative of the Vendor

·         this SOW is subject to all terms and conditions

·         the undersigned Vendor offers and agrees to furnish the services set forth in the SOW.




                                                                                               Classification: //CORERECON/Confidential – Limited External Distribution: