Grants for Community Solar Photovoltaic (PV) Projects Providing Direct Benefits to Low and Moderate Income Residential Electric Customers

Page 6 of 15 Contractor Initials_______ Date_______ It is the prospective Vendor’s responsibility to forward a signed copy of any addendum requiring the Vendor’s signature to the Bureau of Purchase and Property with the bid response. In preparation of a bid response, the prospective Vendor shall: • Provide pricing information as indicated in the “Offer” section; and • Provide all other information required for the bid response (if applicable); and • Complete the “Vendor Contact Information” section; and • Complete the company information on the “Transmittal Letter” page, and sign under penalty of unsworn falsification in the space provided on that page. It is the responsibility of the Vendor to maintain any awarded contract and New Hampshire Vendor Registration with up-to-date contact information. Contract specific contact information (Sales contact, Contractor contract manager, etc.) shall be sent to the State’s Contracting Office listed in Box 1.9 of Form P-37. Additionally, all

updates i.e., telephone numbers, contact names, email addresses, W9, tax identification numbers are required to be current through a formal electronic submission to the Bureau of Purchase and Property at: https://www.das.nh.gov/purchasing/vendorresources.aspx. IF AWARDED A CONTRACT: The successful Vendor shall complete the following sections of the attached Agreement State of New Hampshire Form #P-37: Section 1.3 Contractor Name Section 1.4 Contractor Address Section 1.11 Contractor Signature Section 1.12 Name & Title of Contractor Signatory (if Vendor is not a sole proprietor) • Provide certificate of insurance indicating the coverage amounts required by Section 14 of the Form Number P-37. • Provide proof of sufficient workers’ compensation insurance coverage or evidence of exemption from RSA Chapter 81-A. • If the successful Vendor is a corporation, limited liability company, or other limited liability business entity, then provide a certificate of good standing issued by the NH Secretary of State or, for a newly incorporated, formed, or registered entity, a copy of the appropriate registration document certified by the NH Secretary of State. SPECIFICATIONS: Complete specifications required are detailed in the SCOPE OF SERVICES section of this bid invitation. In responding to the bid invitation, the prospective Vendor shall address all requirements for information as outlined herein. TERMINOLOGY Term Meaning ASV Company A data security company that has been qualified and continues to be qualified by PCI SSC to use an ASV scan solution of such company appearing on the ASV List to determine compliance of the State with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes. ASV Employee An individual who is employed by an ASV Company and has satisfied, and continues to satisfy, all ASV Requirements applicable to employees of ASV Companies who will use an ASV scan solution to determine compliance of the State with the external vulnerability requirement of PCI DSS Requirement 11.2.2 for ASV Program purposes ASV List The current list of ASV Companies and corresponding ASV scan solutions publishing by PCI SSC PCI DSS The current version to the Payment Card Industry (PCI) Data Security Standard (DSS) and Security Assessment Procedures PCI SSC PCI Security Standards Council, LLC BACKGROUND: The Department of Administrative Services (DAS) manages the statewide contract for all merchant card services offered to all three (3) branches of state government. The State accepts credit cards at twenty-two (22) agencies and more than 200 locations. The majority of business offices that support these locations are headquartered in Concord, New Hampshire but the locations are geographically located throughout the state. https://www.das.nh.gov/purchasing/vendorresources.aspx Page 7 of 15 Contractor Initials_______ Date_______ The State’s acceptance of credit cards has grown significantly over time and currently the state processes over 8 million transactions with over $600 million in sales. Agencies use a variety of channels to accept credit cards including standalone swipe devices, point-of- sale terminal, and e-commerce applications. The State currently has five (5) domains in scope utilized by several agencies. VENDOR COMPANY AND STAFF QUALIFICATIONS (EXPERIENCE): Vendor shall have a minimum of five (5) years of experience in provisioning external vulnerability scanning services to larger entities, preferably inclusive of government customers. Administrative and technical staff shall be of sufficient size and knowledge base to support the State in its initiatives. VENDOR MUST BE COMPLIANT WITH: NIST SP 800-171, Protecting Controlled, Unclassified Information in Non-Federal Systems and Organizations NIST SP 800-53R5, Security and Privacy Controls for Information Systems and Organizations for solutions that access/process/or store sensitive data. NIST SP 800-63, Digital Identity Guidelines NIST SP 800-115, Technical Guide to Security Testing and Assessment. SCOPE OF SERVICES: Vendor shall supply all labor, tools, transportation, materials, equipment and permits as necessary and required to perform services as described herein. Vendor shall provide Approved Scanning Vendor (ASV) services available to all State Agencies to conduct external vulnerability scanning in compliance with the current version of the PCI DSS Requirement 11.2.2. The ASV Vendor must be identified on the Payment Card Industry (PCI) Data Security Standards (DSS) ASV List and in good standing. If the Vendor is ever removed from the list or put on remediation status, it must inform the State immediately. The Vendor must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI scanning services. The ASV Company must possess information security/vulnerability scanning assessment experience similar to the PCI scanning services and have a dedicated security practice that includes staff with specific job functions that support the information security/vulnerability scanning practice. The Vendor at all times must have at least two (2) ASV employees performing or managing PCI scanning services and these employees must be qualified by the PCI Security Standards Council (SSC). The Vendor must maintain the privacy and confidentiality of the information it obtains while performing its duties and obligations as an ASV Company. The Vendor cannot be the State’s current Qualified Security Assessor (QSA). The Vendor shall perform monthly external scanning as follows: • Automatically scan the list of external domains for known vulnerabilities and configuration issues; • Provide an executive and technical compliance report; • Provide a detailed findings report that shall include, compliance status, prioritized vulnerabilities, policy weaknesses, and remediation recommendations; • Provide a secure web portal that allows the State to review its findings and obtain reports; o Ability for the State to download all detailed findings in a CSV or Excel spreadsheet format to use for internal remediation efforts. Individual findings shall be listed in its own row; and o Preferably, all DAS and staff designated by DAS, the ability to set-up and modify scan schedules and set-up, modify, and disable users. Page 8 of 15 Contractor Initials_______ Date_______ SECURITY: The Vendor must maintain the following security measures of its system: Intrusion Detection methods used to ensure the detection, recording and review of attempted access or modification by unauthorized individuals. Privacy methods used to ensure that confidential Data and sensitive communications are kept private. System maintenance methods used to ensure that system maintenance does not unintentionally disrupt the security mechanisms of the Application or supporting hardware. A Software patch schedule employed to protect Vendor’s Software from new security vulnerabilities as they arise. The ability of Vendor’s Software to be installed, if applicable, in a “locked-down” fashion so as to turn off unnecessary features (user accounts, Operating System Services, etc.) thereby reducing the Software’s security vulnerabilities and attack surfaces available to System hackers and attackers. ADDITIONAL REQUIREMENTS: Unless otherwise stated in the Scope of Services, any on site services performed under this Contract shall be performed between the hours of 7:30 A.M. and 4:00 P.M. for State business days, unless other arrangements are made in advance with the State. Any deviation in work hours shall be pre-approved by the Contracting Officer. The State requires ten-day advance knowledge of said work schedules to provide security and access to respective work areas. No premium charges shall be paid for any off-hour work. The Vendor shall not commence work until a conference is held with each agency, at which representatives of the Vendor and the State are present. The conference shall be arranged by the requesting agency (State). The State shall require correction of defective work or damages to any part of a building or its appurtenances when caused by the Vendor’s employees, equipment or supplies. The Vendor shall replace in satisfactory condition all defective work and damages rendered thereby or any other damages incurred. Upon failure of the Vendor to proceed promptly with the necessary corrections, the State may withhold any amount necessary to correct all defective work or damages from payments to the Vendor. The work staff shall consist of qualified persons completely familiar with the products and equipment they shall use. The Contracting Officer may require the Vendor to dismiss from the work such employees as deems incompetent, careless, insubordinate, or otherwise objectionable, or whose continued employment on the work is deemed to be contrary to the public interest or inconsistent with the best interest of security and the State. The Vendor or their personnel shall not represent themselves as employees or agents of the State. While on State property, employees shall be subject to the control of the State, but under no circumstances shall such persons be deemed to be employees of the State. All personnel shall observe all regulations or special restrictions in effect at the State Agency. The Vendor’s personnel shall be allowed only in areas where services are being performed. The use of State telephones is prohibited. If sub-contractors are to be utilized, please include information regarding the proposed sub-contractors including the name of the company, their address, contact person and three references for clients they are currently servicing. Approval by the State must be received prior to a sub-contractor starting any work. WARRANTY REQUIREMENTS: The successful Vendor shall be required to provide warranties on all equipment provided by the Vendor for a period of not less than one (1) year or the manufacturer’s standard warranty period, whichever is greater, commencing on the date that the equipment is received, inspected, and accepted by the State of New Hampshire. The warranty shall cover 100% of repair or replacement costs, including all parts, shipping, labor, travel, lodging, and expenses. OBLIGATIONS AND LIABILITY OF THE VENDOR: The successful Vendor shall perform all work and furnish all materials, tools, equipment and safety devices necessary to perform the requested services in the manner and within the time hereinafter specified. The Vendor shall provide said services to the satisfaction of the State and in accordance with the specifications and at the price set forth herein. All work to be performed and all equipment to be furnished pursuant to the Scope of Services included herein shall be performed and furnished in strict accordance with the Page 9 of 15 Contractor Initials_______ Date_______ specifications included herein, the terms of any contract awarded as a result of this solicitation, any associated contract drawings, and the directions of State representatives as may be given from time to time while the work is in progress. The successful Vendor shall take full responsibility for the work to be performed pursuant to the Scope of Services included herein; for the protection of said work; and for preventing injuries to persons and damage to property and utilities on or about said work. The Vendor shall in no way be relieved of such responsibility by any authority of the State to give permission or issue orders relating to any part of the work, by any such permission given or orders issued, or by any failure of the State to give such permission or issue such orders. The successful Vendor shall bear all losses accruing to the Vendor as a result of the amount, quality, or character of the work required, or because the nature or characteristics of the work location is different from what the Vendor estimated or expected, or due to delays or other complications caused by the weather, elements, or other natural causes. The successful Vendor agrees that any damage or injury to any buildings, materials, equipment, or other property resulting from the Vendor’s performance of the requested services shall be repaired at the Vendor’s own expense so that such buildings, materials, equipment, or other property are satisfactorily restored to their prior condition. NON-EXCLUSIVE CONTRACT: Any resulting Contract from this RFB will be a non-exclusive Contract. The State reserves the right, at its discretion, to retain other Contractors to provide any of the Services or Deliverables identified under this procurement or make an award by item, part or portion of an item, group of items, or total Proposal. OFFER: Vendor hereby offers to perform the services to the State of New Hampshire as specified at the prices quoted below, in complete accordance with the general and detailed specifications included herewith. Cost Item Fixed Rate Monthly External Vulnerability Scanning per domain. VENDOR CONTACT INFORMATION: Please provide contact information below for a person knowledgeable of and who can answer questions regarding this bid response. ____________________________________ _______________________ __________________________ Contact Person Local Telephone Number Toll Free Telephone Number ______________________________________________________ __________________________________________________ E-mail Address Company Website __________________________________________ _______ _________________________________________________________ Vendor Company Name Vendor Address ATTACHMENTS: The following attachments are an integral part of this bid invitation: Attachment A: Sample P-37 Form Page 10 of 15 Contractor Initials_______ Date_______ The Bid Opening is open to the public online at the following: Microsoft Teams meeting. Join on your computer, mobile app or room device Click here to join the meeting Meeting ID: 216 157 709 964 Passcode: cHtjuj Download Teams | Join on the web Join with a video conferencing device nhgov@m.webex.com Video Conference ID: 117 560 774 1 Alternate VTC instructions Or call in (audio only) +1 603-931-4944,,106985345# United States, Concord Phone Conference ID: 106 985 345# Find a local number | Reset PIN Learn More | Meeting options https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDFiMDY5MjAtMzZkNS00YTU0LWJkYmItYjIxOGY1Y2ExNzAz%40thread.v2/0?context=%7b%22Tid%22%3a%22992deae9-1c4c-42c8-a310-5088af55ba74%22%2c%22Oid%22%3a%22d7204119-e3db-4e58-92a3-473ed458017c%22%7d https://www.microsoft.com/en-us/microsoft-teams/download-app https://www.microsoft.com/microsoft-teams/join-a-meeting mailto:nhgov@m.webex.com https://www.webex.com/msteams?confid=1175607741&tenantkey=nhgov&domain=m.webex.com tel:+16039314944,,106985345#%20 https://dialin.teams.microsoft.com/f7a647af-ea74-46b0-81b7-19cbfe838a27?id=106985345 https://dialin.teams.microsoft.com/usp/pstnconferencing https://aka.ms/JoinTeamsMeeting https://teams.microsoft.com/meetingOptions/?organizerId=d7204119-e3db-4e58-92a3-473ed458017c&tenantId=992deae9-1c4c-42c8-a310-5088af55ba74&threadId=19_meeting_MDFiMDY5MjAtMzZkNS00YTU0LWJkYmItYjIxOGY1Y2ExNzAz@thread.v2&messageId=0&language=en-US