Request for Proposals
Request for Proposals:
Cybersecurity Risk Assessment
We will consider all responses that are sent to Emma Bates (ebates@603legalaid.org) by 5:00 pm EST on 05/30/2025. Please include the name of the project, “603LA Cybersecurity Risk Assessment” in the subject line. All communication concerning this RFP must be directed to ebates@603legalaid.org. Any oral communications will be considered unofficial and nonbinding on 603LA. Only written statements issued by the RFP Coordinator may be relied upon.
Summary
603 Legal Aid (603LA) is seeking proposals from qualified cybersecurity firms to conduct a comprehensive Cybersecurity Risk Assessment. This assessment should identify the physical and digital assets susceptible to cyberattack, the risks to those assets, evaluate the risks (e.g. high, medium or low) based on likelihood and impact, and document the results of the risk assessment, including the development and implementation of appropriate controls.
About 603 Legal Aid
603 Legal Aid (603LA) is dedicated to our mission of making access to justice a reality for – and with – all NH residents who experience economic hardships that threaten their basic human needs. Our goal is to provide comprehensive legal assistance and advocacy to empower low-income individuals and families through legal representation, advocacy, referrals, and education.
603LA is a non-profit organization formed in 2021 from the merger of the Pro Bono Referral System of the NH Bar Association and the Legal Advice and Referral Center, which together had more than fifty years’ experience providing civil legal aid to those who need it most in NH. 603LA currently operates legal clinics, connects clients with volunteer attorneys providing pro bono services, and engages in community outreach to address the wide variety of civil legal issues affecting low- income people. In addition, our in-house legal staff focus primarily on the critical areas of housing, family, and consumer law.
603LA is a grantee of Legal Services Corporation and must adhere to compliance requirements for information technology and cybersecurity. This includes the terms and conditions of our basic field grant and the LSC Financial Guide, effective January 1, 2023, Section 2.5, 2.5.3 Electronic Data Processing and Cybersecurity. (See Appendix A)
Scope of Work
The selected firm will conduct a cybersecurity risk assessment, including but not limited to:
Network Security Assessment
Evaluate firewall configurations, intrusion detection, and prevention systems.
Assess network segmentation and data flow security.
Endpoint Security & Device Management
Review security controls on workstations, mobile devices, and remote access protocols.
Identify vulnerabilities in hardware and software configurations.
Data Protection & Access Control
Assess encryption policies and data storage security.
Review access controls, authentication mechanisms, and privilege management.
Compliance & Regulatory Review
Evaluate adherence to legal and regulatory requirements (e.g., Legal Services Corporation (LSC) security guidelines).
Identify gaps and provide compliance recommendations.
Incident Response & Disaster Recovery Readiness
Review existing incident response and disaster recovery plans.
Provide recommendations for improved response times and risk mitigation.
Employee Security Awareness & Training Assessment
Assess the effectiveness of current security training programs.
Recommend improvements for ongoing cybersecurity awareness.
Deliverables
The vendor must provide:
A comprehensive Cybersecurity Risk Assessment Report detailing findings, risks, and vulnerabilities.
A prioritized list of remediation recommendations.
A roadmap for implementing security improvements with estimated costs and timelines.
An executive summary for leadership and a technical report for IT personnel.
Proposed Timeline
RFP Released: 05/05/25
Proposal Deadline: 05/30/25
Successful proposal announced no later than: 06/20/25
Contract signed and work commences: 08/01/2025
Work must be completed no later than: 11/21/25
Vendor Requirements
Responses must contain the following information in the following format. Please restate the requirement or question number of your responses to correspond with the information requested here.
Introduction/executive summary.
Vendor’s Name, address, federal tax identification number or Social Security Number (SSN), Uniform Business Identifier (UBI) number, and a description of the vendor’s legal status, e.g., corporation, sole proprietor, etc.
Vendor contact’s Name, telephone number, fax number and email.
A statement that guarantees that the response constitutes a firm offer valid for sixty (60) days following receipt and that 603LA may accept any time within the 60-day period.
Statement setting forth vendor’s experience conducting projects of this nature, and highlighting experience working with LSC projects, if applicable.
A statement on whether the vendor or any employee of the vendor is related by blood or marriage to a 603LA employee or member of its Board of Directors or resides with an 603LA employee or member of its Board of Directors. If there are such relationships, list the names and relationships of said parties. Include the position and responsibilities within the vendor's organization of such vendor employees.
State whether the vendor has been a party in any litigation during the past five (5) years, all such incidents except employment related cases must be described, including the other parties' name, address, and telephone number. Present the vendor's position on the matter.
Provide at least two (2) references for the same or similar services you have completed for others in the last five years. Please include the phone number or email address of the referenced individual so they may be contacted.
Statement of Interest and Understanding which includes a description of your approach to completing the Scope of Work and Deliverables along with a project timeline and detailed project budget.
Please state your total cost for completing this work.
Proposals that exceed 10 pages (not including samples and references) in length will not be accepted. Copy of project plan to be provided upon request. Late proposals will not be accepted and will be automatically disqualified from further consideration.
Evaluation Criteria
Proposals will be evaluated based on:
Vendor’s experience and qualifications (25%)
Understanding of scope and proposed methodology (25%)
Cost-effectiveness (20%)
References and past performance (15%)
Proposed timeline and deliverables (15%)
Submission Instructions
All proposals must be submitted electronically in PDF format to ebates@603legalaid.org no later than 05/30/25. Late submissions will not be considered.
For questions, contact Emma Bates at ebates@603legalaid.org or 603-584-4125.
Disclaimers
603LA reserves the right to change the RFP Schedule or issue amendments to this RFP at any time. 603LA also reserves the right to cancel or reissue the RFP.
603LA will not pay any vendor costs associated with preparing responses submitted in response to this RFP.
603LA reserves the right to waive minor administrative irregularities contained in any response.
The release of this RFP does not compel 603LA to enter into any contract. 603LA reserves the right to refrain from contracting with any vendor that has responded to this RFP whether the vendor's response has been evaluated and whether or not the vendor has been determined to be qualified. Exercise of this reserved right does not affect 603LA’s right to contract with any other vendor.
603LA reserves the right to request an interview with any vendor and/or a demonstration from any vendor prior to entering into a contract with that vendor. If a vendor declines the request for an interview or demonstration for any reason, the vendor may be eliminated from further consideration.
603LA reserves the right to enter into contracts with more than one vendor as a result of this RFP.
The selection of a vendor pursuant to this RFP does not constitute an endorsement of the vendor's services. The vendor agrees to make no reference to 603LA in any literature, promotional material, brochures, sales presentations, or the like without the express written consent of 603LA.
Website, product, deliverables, data, and other shall be owned by 603LA, its successors and assigns.
All intellectual property rights shall be owned by 603LA, its successors and assigns.
All responses, accompanying documentation and other materials submitted in response to this RFP, or in response for more information, shall become the property of 603LA and will not be returned.
The vendor chosen will be asked to sign a non-disclosure agreement affirming the confidentiality of 603LA’s content and other aspects of the project.
Appendix A: LSC Regulations
Risk assessment procedures will vary by recipient. However, at minimum, the process should:
Identify the physical and digital assets susceptible to cyberattacks
Identify risks to those assets (risks should be evaluated annually for changes)
Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact
Document the results of the risk assessment, including the development and implementation of appropriate controls