Security Awareness Platform Services

The vendor is required to provide a security awareness platform is essential for safeguarding sensitive information, preventing financial and reputational harm, and protecting organizational assets from cyber threats.
- Security learning management system
1. Learning material that covers a broad range of users.
•    Preferred users are privileged users and admins (HR, finance, etc.), executives suite, standard end users, and IT and technical team members.
2. Learning material that covers a broad range of topics, including but not limited to:
•    Artificial intelligence (AI) and machine learning (ML)
•    Email security and best practices
•    Phishing
•    Internet browsing secure practices
•    Social engineering (phishing emails, voice and text or instant messaging)
•    Tailgating
•    Privacy and confidentiality of information and clean desk practices
•    Secure software development and security by design
•    Password hygiene
•    Insider threats
•    Cloud and remote work risks
•    Patient health information protection training (e.g., health information protection act)
3. Targeted training campaigns for groups based on active directory properties (e.g., location, department)
4. Reporting and key performance indicators, including but not limited to:
•    Analytics and metrics providing completion tracking, risk scoring, and behavior change measurement. 
•    Benchmarking to compare organization progress against industry peers. 
•    Role based dashboards providing custom configurable view for executives, and department owners. 
•    Real time alerts to notify administrators and leaders when employees miss deadlines or fail critical training. 
•    Audit ready reports which can be generated in PDF and CSV for regulators, auditors or for board review. 
•    Multi-year trend analysis data on improvements, risk reduction, etc.
- Security awareness platform
1. The platform should have the following technical characteristics:
•    Cloud-based (software as a service), with a web-based user interface. 
•    Features and functions are available for both on premise and cloud hosted mail services. 
•    support a multi-forest and multi-domain active directory environment, involving multiple trusted domains and forests. 
•    Native plugin with enterprise mail clients like microsoft outlook, for reporting suspected phishing emails. 
•    Phishing reporting plugin and app compatible with microsoft exchange and office 365 web and desktop. 
•    Support open interoperability standards (e.g., rest, html, soap etc.). 
•    Provide integration interfaces to enable automation and orchestration.
•    Support security information and event management (SIEM) integration options.
•    Support connectors to major cloud security solutions as well as on premise options.
•    Support federated single sign-on with on premise or cloud identity services for the centralized management console 
•    The proponent's proposed product should support identity federation for multi-domain active directory environment. 
•    Proponent's product provides ability to create and customize content with an easy-to-use editor or using third-party tools to author compliant content.
2. The platform should have the following security characteristics:
•    Strong authentication options for accessing the centralized management console. 
•    Encryption for data in transit and at rest. 
•    Tamper-proof audit trail capabilities for all user activities on the centralized management console. 
•    Role-based access controls (RBAC) or fine-grained access control mechanisms to effectively manage access based on varied business needs. 
•    Logical isolation of cloud components from other customers.
3. The platform should support phishing simulation campaigns with varying lure strengths and levels of sophistication, including but not limited to the following:
•    The phishing tests sent as part of the campaign should be customizable. 
•    The phishing tests should be able to be deployed on a schedule or set to deploy randomly. 
•    The platform should have a dashboard that enables reporting on campaign progress and results. 
•    The platform should provide reporting that provides metrics and data to evaluate the effectiveness of the training. 
•    The platform should support smishing – SMS based phishing simulations to assess user resilience to mobile threats. 
•    The platform should enable whaling and business email compromise simulations targeted at executives and high-risk staff. 
•    The platform should provide options for emerging user-based threat simulations, such as deepfake driven attacks, voice phishing -vishing, and other advanced social engineering techniques.

- Contract Period/Term: 5 years
- Questions/Inquires Deadline: October 23, 2025