Cybersecurity Assessment — PSPC IT Standing Offer Call-Up
Sample 1 of 3 · NAICS 541512 · Federal IT services · Solo-tier output
Executive Summary
NorthEdge Consulting Inc., a four-person Indigenous-owned cybersecurity practice based in Gatineau, Quebec, submits this proposal for a focused vulnerability assessment and remediation roadmap covering [Department] departmental network segments identified in Annex A of the solicitation.
Our approach combines a 5-day discovery sprint, a 10-day technical assessment using industry-standard tools (Nessus Professional, Burp Suite Pro, BloodHound for AD path analysis), and a 5-day remediation roadmap workshop with the departmental security team. We commit to delivering the final report 25 working days from contract award. Our team holds active Reliability security clearances; our lead consultant is OSCP and CISSP certified.
NorthEdge is registered with the Procurement Strategy for Aboriginal Business (PSAB) under file # [bidder fills in]. We have prior experience delivering comparable assessments for [redacted Crown corporation] and [redacted federal department] in 2024–2025, both of which closed under budget.
Mandatory Criteria — M1 through M5
NorthEdge Consulting Inc. — Quebec corporation, business number [BN], CRA Procurement Business Number on file. Principal place of business: 200 Rue Laurier, Gatineau, Quebec.
All four personnel proposed for this engagement currently hold Reliability clearance issued by Public Services and Procurement Canada (Industrial Security Sector). Lead consultant additionally holds Secret clearance from a 2025 engagement; Reliability is sufficient per Section 5.2 of the solicitation.
Lead consultant credentials: OSCP (offensive security), CISSP (information systems security), GPEN (penetration testing). 9 years of experience including 4 years on federal engagements. Two analysts hold Security+ and have a combined 6 years of Active Directory hardening experience.
Three relevant engagements in the last 36 months — references provided in Annex C. Project values $95K, $145K, $220K. All closed on time, two closed under budget. Reference letters available on request to the contracting authority.
Commercial General Liability ($2M aggregate) and Professional Liability ($1M per occurrence) carried via Northbridge Insurance, certificate attached as Annex D. Coverage exceeds Section 5.5 minimums of the solicitation.
Rated Criteria — R1 through R3
Phase 1 — Discovery (5 working days). Workshop with departmental security team. Asset inventory reconciliation against existing CMDB. Threat-model session producing a STRIDE-based risk register scoped to in-scope segments.
Phase 2 — Technical Assessment (10 working days). Authenticated Nessus scans against in-scope hosts. Internal Burp Suite testing of departmental web applications. BloodHound path analysis for Active Directory. Manual validation of every Critical/High finding to eliminate false positives. Daily debrief with security team.
Phase 3 — Remediation Roadmap (5 working days). Final report categorising findings by CVSS severity. Each finding gets: technical context, business impact, recommended remediation with estimated effort, and a proposed quarter for execution. Workshop with security and operations teams to prioritise.
Lead consultant acts as single point of accountability. Weekly written status reports every Friday. Open issues tracked in a shared register accessible to the contracting authority. Escalation path: lead consultant → NorthEdge principal → contracting authority. We use an issues-and-decisions log throughout, archived to the contracting authority on closeout.
Two formal sessions: a mid-engagement technical walk-through with the security operations team, and a closeout briefing with security leadership. All scripts, scan configurations, and analysis tooling documented and handed over. The departmental team should be able to re-run an equivalent assessment in 12 months without reprocuring.
Pricing Summary
| Phase | Effort (days) | Day rate | Subtotal |
|---|---|---|---|
| Phase 1 — Discovery | 5 | $1,400 | $7,000 |
| Phase 2 — Assessment (lead) | 10 | $1,400 | $14,000 |
| Phase 2 — Assessment (2 analysts) | 10 × 2 | $1,050 | $21,000 |
| Phase 3 — Roadmap | 5 | $1,400 | $7,000 |
| Tooling licenses (Nessus Pro, Burp) | — | — | $2,400 |
| Reporting + project management | 3 | $1,200 | $3,600 |
| Total (excl. GST/QST) | $55,000 CAD | ||
Pricing is firm. Day rates include all overhead, equipment, and remote work expenses. Travel, if requested for on-site days at departmental sites, would be billed at receipts per Treasury Board directives.
Compliance & Certifications
- PSAB-eligible — Indigenous Business Directory file # on record
- CRA Procurement Business Number active
- SOC 2 Type II — work-products handling (audit attestation 2025)
- ISO/IEC 27001 — internal information security management (Lloyd's, expires Q4 2026)
- Code of Conduct for Procurement — signed compliance attestation attached
- Integrity Regime — bidder declaration attached, no convictions in scope
What we'd add before submitting
P.R.O.C.U.R.E. produced the structured response above. Before you actually submit:
- Confirm active Reliability clearance on each named team member (we asserted, you verify)
- Pull and attach the actual PSAB registration certificate as Annex B
- Refresh the three reference letters to be dated within 90 days of submission
- Have your insurance broker confirm coverage hasn't lapsed and produce a current Certificate of Insurance for Annex D
- Sign the Integrity Regime declaration and the Code of Conduct attestation
- Have a second pair of eyes review the M-criteria responses against your actual operating reality — AI gets enthusiastic, you stay accurate