Cybersecurity Assessments and Services

The vendor is required to provide cybersecurity assessments and services for include:
•    Establish a standardized, objective baseline of cybersecurity maturity across agencies, as required by law and policy.
•    Identify specific control gaps, systemic risks, and areas for improvement within agency environments and statewide. 
•    Provide crucial, empirical data to inform and strengthen office governance, risk, and compliance (GRC) functions and support statewide risk management decisions. 
•    Enable office and agency leadership to objectively track maturity progress over time, demonstrating the impact of security investments and remediation efforts. 
•    Guide strategic planning, prioritize resource allocation, and inform the development and integration of cybersecurity capabilities, including centralized office services.
- Cybersecurity assessments:
•    Conduct approximately ninety (90) cybersecurity assessments of units of state government in a 24-month period. 
•    To determine each unit's overall security posture and maturity.
•    Utilize experienced personnel capable of conducting cybersecurity assessments to determine an organization’s cybersecurity maturity.
•    Independently scope each assessment, conduct interviews, assess documentation, rate functional area maturity levels, and present results, findings, and recommended remediations that emerge from each assessment.
•    This includes, but is not limited to, security maturity assessment closeout meetings with each agency of government.
•    All assessments shall be performed using a standardized assessment framework, which will consist of staff and personnel interviews, workbooks, reports, and closeout presentations.
•    The cybersecurity assessment template if assessment requirements or control frameworks change.
•    The evaluation standards guide should be a comprehensive document that ensures consistent and objective CMMI scoring for cybersecurity assessments.
•    Provide the standard definition alongside a clear cybersecurity-focused interpretation, complete with relevant examples and the types of evidence to look for within the context of institute technology controls (and potentially others).
•    It needs to include guidance on how to apply these rating levels consistently, weigh evidence, address partial implementations, ensure interassessor reliability, and document the rationale behind each score.
•    Utilize approved methodologies and tools for conducting assessments and generating reports, they shall ensure that all key data outputs are structured and maintained in a format compatible with the import requirements of the state’s GRC platform.
•    Key data outputs include, at a minimum, assessment scope information, maturity scores, documented findings, identified risks, identified issues, and recommended remediation actions.
•    Provide this data in a state-specified format and provide reasonable technical assistance to facilitate its successful import into the GRC platform.
•    Develop and maintain real-time reporting dashboards.
•    The data shall be capable of being imported into the state’s GRC platform. 
•    The reporting system shall display the following dashboards using cybersecurity assessment data at an aggregated (i.e., statewide) and disaggregated (i.e., agency-level) level:
o    Top control categories by maturity; 
o    Most common constraints; 
o    Top recommended areas of improvement; 
o    Maturity levels are based on capability maturity model integration (CMMI) scoring (0-5) across all five areas (identify, protect, detect, respond, recover) 
o    Top findings, top risks, top issues, and issue response by agency.
•    All dashboards must provide interactive drill-down capability, allowing users to explore the underlying assessment data supporting summary views. 
•    To facilitate targeted analysis and comparison across agency groups, dashboards shall incorporate robust filtering capabilities.

- Contract Period/Term: 2 years
- Pre-Proposal Conference Date: October 6, 2025
- Questions/Inquires Deadline: October 13, 2025