Cybersecurity Maturity Assessment Services

The vendor is required to provide cybersecurity maturity assessment program and protocols and availability of the agency’s it and operating technology systems, examples of which include, and not limited to:
1. IT systems:
•    Enterprise resource planning (“ERP”) systems
•    Customer relationship management (“CRM”) systems
•    Database management systems (“DBMS”)
•    Networking infrastructure
•    Cloud computing platforms
2. Operating technology (OT) systems:
•    Industrial control systems (“ICS”)
•    Building automation systems (“BAS”)
•    Programmable logic controllers (“PLC”)
•    Energy management systems (“EMS”)
•    Transportation control systems
- Tasks
1. Cybersecurity practices assessment
•    Govern: establish and maintain oversight, risk management strategy, roles and responsibilities, and policies to ensure cybersecurity is integrated into the agency risk management and decision-making processes. 
•    Identify: develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 
•    Protect: implement safeguards to ensure delivery of critical services and manage cybersecurity risks. 
•    Detect: develop and implement activities to identify the occurrence of a cybersecurity event.
•    Respond: take action regarding a detected cybersecurity incident to contain its impact. 
•    Recover: develop and implement plans to restore any capabilities or services that were impaired due to a cybersecurity event. 
2. Cybersecurity organization assessment
•    Determine if the team is adequately staffed, trained and equipped and if there are any skills or staffing gaps that need to be addressed.
•    Review individual and team capabilities, competencies, roles, and certifications as well as, systems deployed to address the NIST cybersecurity framework (CSF)framework and organizational demands.
•    Deliver a report highlighting areas of strength and areas requiring additional capabilities, resources or training for the team. 
•    The report shall also highlight the tool utilization and coverage as well as staff’s capability to use the tools to manage the environment.
3. Cybersecurity risk management assessment (CSRM)
•    Evaluate the impact of cybersecurity risks include higher costs, lower revenue, reputational damage, and the impairment of innovation. 
•    Evaluate the agency’s risk appetite expressed at other levels of risk management and how it gets translated into more specific CSRM risk tolerance. 
•    Understanding the cybersecurity risk management dependencies is an essential activity. evaluate the dependencies between cybersecurity technology, risk management, and enterprise risk management. 
•    Utilize NIST CSF 2.0 to determine how mature cybersecurity risks programs are helping the agency discuss, organize, and review their cybersecurity program, including governance over this area. 
•    Deliver a report highlighting areas of strength and recommendations for areas requiring enhanced controls and governance.

- Questions/Inquires Deadline: October 22, 2025