Managed Security Services

The vendor is required to provide managed cyber security services for the agency enterprise. 
- Managed cyber security services include, but not limited to:
• Risk assessments;
• Incident response;
• Cyber security awareness education;
• Penetration testing;
• Vulnerability assessments;
• Cyber security consulting;
• Virtual CISO enhancement;
• Internet of things (IOT) and biomed device security and
• Services management.
- Vendors must additionally meet the following requirements:
• Be product agnostic and not a product vendor for a specific system or application.
• Have a physical and staffed office located in state.
• Be available 365/7/24 for incident response services.
• Provide SLA (service level agreement) time of 4 hours or better.
- The agency information technology environment encompasses approximately:
• 150 routers/switches;
• 350 windows servers – 2016, 2019, 2022 and 2025;
• 6,000 windows workstations;
• 700 handheld devices;
• 1,100 printers and output devices;
• 1,000 biomed devices;
• 400 applications;
• 5 remote sites;
• 4,500 staff members and
• 1,000+ non- agency associates and partners.
- Cyber security awareness:
• Cyber security awareness – instructor lead cyber security training for leadership – approximately 400 individuals.
o Customized for the agency leadership audience.
o Minimum eight interactive sessions.
o Topics are agreed to annually by agency and vendor.
• Cyber security awareness – instructor lead cyber security training for executive management – approximately 50 individuals.
o Customized for agency executive management.
o Minimum two interactive sessions.
o Topics are agreed to annually by agency and vendor.
• Cyber security awareness program review
o Review of the cyber security awareness program for opportunities.
o Assist to develop techniques to identify the success of the cyber security awareness program.  - Cyber security consulting:
• Consulting hours are available and designated to review cyber security situations such as:
o New systems security controls review;
o Situational review;
o Regulation interpretation and
o Possible impact assessment including business and financial.
• Ability to increase consulting hours through contract amendments.
• Executive and operational knowledge of health care systems and processes.
• Demonstrated knowledge of business continuity and disaster recovery environments and delivery methods.
- Contract Period/Term: 1 year
- Pre-Proposal Conference Call Date: July 8, 2025
- Questions/Inquires Deadline: July 9, 2025