Information and Cybersecurity Services

The Vendor is required to provide for information and cybersecurity services.
- Policy Development:  Services in this category are designed and intended to assess the current security posture, identify gaps, and develop comprehensive policies tailored to the Purchaser’s needs.  Additional activities in this category can include consultation, assessment, analysis, documentation, review and validation, continuous improvement and reporting.
- Risk Management and Assessment:  Services in this category are designed and intended to assess risks, identify gaps, and develop comprehensive remediation plans tailored to the Purchaser’s needs.  Additional activities in this category can include asset and threat identification, vulnerability assessment, risk response planning, reporting, compliance and implementation support.
- Security Audits and Compliance:  Services in this category are intended to perform activities designed to evaluate existing security controls, processes, and compliance with industry standards.  Performing security audits to ensure compliance with industry standards.  Offering compliance consulting and certification support.  Conducting internal and external audits to assess security postures.
- Penetration Testing and Vulnerability Assessments:  Services in this category are intended to perform activities designed to identify weaknesses in systems, networks, and applications and address security gaps proactively.  The scope includes penetration testing, vulnerability assessments and could involve compliance audits, security awareness and policy review.
- Incident Consulting and Digital Forensics:  Contractors awarded in this category will provide consultation services related to Incident Consulting and Digital Forensics. This scope does not include direct emergency incident response activities.  Services may include guiding post-incident response reviews, conducting digital forensics reviews, providing insights into emerging threats and vulnerabilities, and assisting with the development and implementation of incident response plans and playbooks.
- Data Protection and Privacy:  Services in this category are intended to perform activities designed to develop data protection strategies and policies and ensure compliance with data protection regulations and standards.  Additional activities in this category can include risk assessment and analysis, security implementation, training, monitoring and auditing, incident management, data lifecycle management, vendor management and in the development of technology solutions.
- Identity and Access Management (IAM):  Services in this category are intended to perform activities to design and implement IAM solutions.  Providing multi-factor authentication (MFA) and single sign-on (SSO) services.  Managing identity governance and administration.  Additional activities in this category can include assessment, planning, design and architecture, implementation, configuration, testing and validation, reporting and training.
- Cloud Security:  Services in this category are intended to offer cloud security assessments and best practices. Implementing secure cloud architectures and configurations.  Providing continuous monitoring and management of cloud environments.  Additional activities in this category can include architecture review and design, compliance and governance, identity and access management (IAM), data, network and application security, incident response, training and third-party risk management.
- Cybersecurity Strategy and Governance:  Services in this category are intended to develop comprehensive cybersecurity strategies aligned with the Purchaser’s operational goals.  Providing governance frameworks and policies.  Offering executive and board-level cybersecurity advisory services.  Additional activities in this category can include assessment and gap analysis, cybersecurity strategy, risk management, security architecture and technology evaluation, training, monitoring, reporting, audit and compliance, crisis management and business continuity.
- IoT and OT Security:  Services in this category are intended to perform activities to secure the Internet of Things (IoT) and Operational Technology (OT) environments, conducting assessments and implementing security measures for IoT/OT devices, and providing continuous monitoring and threat detection for IoT/OT networks.
- Cybersecurity Staff Augmentation:  Services in this category are intended to provide staff to augment cybersecurity teams by enhancing an in-house cybersecurity team with additional expertise and resources.  Additional activities in this category can include planning, help in recruitment and screening of candidates, skill development training, operational support, performance management and knowledge transfer. 

- Contract Period/Term: 1 year
- Virtual Pre-Bid Conference Date: October 28, 2025
- Questions/Inquires Deadline: November 18, 2025