Cybersecurity Audit Services

The Vendor is required to provide to conduct a comprehensive cybersecurity audit.
- Secure to assess our current security posture, identify vulnerabilities, and provide actionable recommendations to enhance our cybersecurity framework.
- Licensing & Compliance
•    Vendors must be licensed to do business in state.
•    Testing and gap assessments must align with institute 800 standards.
•    Review agency cybersecurity policies for alignment with institute 800; document gaps and provide recommendations.
- Network & System Assessment
•    Conduct internal and external penetration testing, including wireless networks.
•    Perform testing during both business and after hours.
•    Confirm segmentation of systems and assess vulnerabilities across segmented networks.
•    In-scope systems include:
o    ~60 servers (windows/Linux)
o    ~500 endpoints (windows/macos; Linux possible in limited numbers)
o    ~350 network devices (routers, switches, firewalls, waps; vendor details post-award)
o    Mobile devices in scope; MDM platform shared post-award
o    IoT devices (printers, cameras; ICS/SCADA excluded)
o    Web applications (3–5 mission-critical; list post-award)
o    APIS/micro services (rest; counts post-award)
o    Databases (SQL/NOSQL; platforms include Microsoft SQL server)
o    Domain service (active directory adds)
o    Cloud platforms (azure ad, Microsoft 365, hybrid environment)
o    SaaS applications (e.g., o365, HR, finance apps)
o    Third-party/vendor-connected systems
- Social Engineering & Security Testing
•    Penetration testing: both unauthenticated (black-box) and authenticated (gray-box) scans required; white box only if mutually agreed.
•    No systems are explicitly off-limits, but some legacy/ERP may require restricted testing windows.
•    Testing windows: no blackout dates; testing may occur during and after business hours.
•    Execute phishing campaigns (user list provided post-award).
•    Conduct phone-based social engineering.
•    Perform in-person testing (e.g., USB drops).
•    Evaluate employee susceptibility; results may be anonymized but should include departmental trends.
- Policy & Governance Review
•    Evaluate the comprehensiveness of IT security policies and controls.
•    Benchmark against institute 800; cross-mapping to act, PCI-DSS, and institute where applicable.
•    Document deficiencies and provide remediation recommendations (policy rewrites not required).
- Reporting and Presentations
•    Deliverables must include:
o    Technical report with vulnerabilities, risk ratings, and remediation recommendations.
o    Executive summary for non-technical audiences.
o    Remediation roadmap with effort estimates, vendor-neutral recommendations preferred.
•    Multiple presentations tailored to:
o    Agency Leadership & Executive Team
o    IT Department
o    Other critical departments
- Access & Engagement
•    Work may be performed remotely or onsite; vendor to propose approach.
•    Expected 1–2 onsite visits (finalized during contract negotiation).
•    Agency IT will provision access within two weeks of contract execution.
•    Sensitive details (Config, diagrams, MDM platform) provided post-award under Non-Disclosure Agreement (NDA).
- Budget: $100,000

- Contract Period/Term: 1 year
- Questions/Inquires Deadline: October 14, 2025