Governance Risk and Compliance Tools

The Vendor is required to provide for governance, risk, and compliance (GRC) tools.
- Authorizations involve comprehensive identification, selection, implementation, testing, and evaluation of security controls of information systems.
- Address software and hardware security safeguards; 
- Considers procedural, physical, and personnel security measures; and 
- Establishes the extent to which a particular design (or architecture), configuration, and implementation meets a specified set of security requirements throughout the life cycle of the information system.
- Streamline policy, compliance, risk management, auditing, incident management, and vendor oversight processes.
- Existing Interfaces:
•    ServiceNow (ITSM and CMDB)
•    SolarWinds
•    Riskonnect
•    Splunk 
•    Tenable IO
•    Ability to ingest OSCAL package
•    Ability to export security authorization package documentation (i.e. SAP, SSP, SAR, POA&M) into OSCAL-compliant XML or JSON
•    Okta
•    Crowdstrike
•    Azure DevOps
•    Jira
•    Github
•    O365, SharePoint, PowerBI
- Business Objectives:
•    Risk Management Improvement: Enhance the ability to identify, assess, assign, and mitigate risks effectively.
•    Regulatory Compliance: Meet industry-specific compliance standards 
•    Governance Framework Implementation: Standardize policies, procedures, and controls across the organization.
•    Audit Management: Streamline internal and external audit processes, including documentation, risk ownership, and reporting.
•    Operational Efficiency: Reduce manual processes and improve the efficiency of GRC tasks through automation.
- Functional Requirements
•    Risk Management Features:
o    Risk assessment and analysis tools
o    Risk scoring, prioritization, and downgrading due to the presence of mitigating controls
o    Risk ownership, and tracking from risk finding through remediation
o    Real-time risk monitoring and reporting
o    Categorize systems and common control providers
o    Selection of Security Controls 
o    Implementation of Security Controls and Frameworks
o    Assess organizations, systems, and common control providers
o    Authorize organizations, systems, and common control providers
o    Continuous Monitoring of Security Controls
o    Generation of project artifacts - Plan of Action, Milestones, Burndown Chart, etc
•    System Security Plans
o    System Description
o    Roles and Contacts
o    System diagrams (boundary, network, data flow, and directionality)
o    Ports, Protocols, and Services
o    System Interconnections including services, subsystems, and components
o    Selected Baselines and Frameworks
o    Inventory
•    Compliance Management:
o    Policy and procedure management
o    Automated compliance checks and alerts
o    Compliance tracking and reporting
•    Audit Management:
o    Audit planning and scheduling
o    Automated evidence collection
o    Issue tracking and remediation
•    Incident Management:
o    CSIRT incident response process management - tool facilitates management of IR process from Event Generation to Lessons Learned
o    Root cause analysis
o    Reporting and documentation
•    Policy Management:
o    Policy creation, review, and approval workflows
•    Dashboard:
o    Enterprise Dashboard across organizations, systems, and common control providers
o    Operation Dashboard for individual organizations, systems, and common control providers with agency specific data isolation and role-based access.
o    Generate a dashboard to report on a single or all package statuses
o    Notify internal and external stakeholders of changes, status updates, and other important notifications.
o    Assign a task or package to an internal or external stakeholder with notification.
•    Collaboration:
o    Automate workflow processes
o    Integrate with automated validation rules to enable pass/fail automated review and generate reports to users. 
o    Enable simultaneous reviews.
o    Enable users on review teams to track notes and rationale for review.
o    Track package progress (e.g. schedule, performance, etc.).
o    Access previous versions of a package.
o    Facilitate and track updates by external stakeholders. 
o    Import or manage diagrams in PDFs and search keywords within them.
- Contract Period/Term: 3 years
- Questions/Inquires Deadline: July 30, 2025