Enterprise Governance Risk and Compliance Solution

The vendor is required to provide enterprise IT governance, risk, and compliance (GRC) solution and professional services to help implement the tool and build upon existing policies and procedures to complete a full IT/OT risk management plan covering our traditional IT infrastructure and operational technology (OT) infrastructure.
- Requirements
1. Provide installation and configuration for the GRC solution
•    Provide confirmation of licensing to include the following features:
o    Risk register and risk scoring
o    Asset inventory
o    Policy management and repository
o    Control management and repository
o    Compliance tracking on a per-framework and per-control level
o    Audit and reporting dashboards
o    Business impact analysis management and repository
•    Implement the following security frameworks with blank implementation details for QAC to complete:
o    State minimum cybersecurity standards 2023 (MCS)
o    Iso 27001: information security, cybersecurity and privacy protection
o    NIST CSF 2.0: cybersecurity framework
•    Provision accounts and configure multi-factor authentication for selected agency users
•    Hosting: preferred SaaS and cloud-based with the following requirements:
o    Ensure data residency within the continental country
o    Support FIPS 140-2 validated encryption both in transit and at rest
o    Provide a current soc 2 type ii report
o    Provide validation of current fed ramp moderate or higher authorization for the cloud provider
o    Provide assurance of the capability to implement additional frameworks in the future.
2. Provide a support plan for ongoing development and support to the county (phase 2)
•    Identify and develop templates for all policies and forms identified within the md MCS framework and provide to the county for customization and implementation
•    Collaborate with the county cybersecurity team to develop business impact analyses for the 23 departments in the county
•    Collaborate with the county cybersecurity team to develop md MCS control responses through weekly meetings to answer questions and review agency -developed responses
o    Bia and control responses include business systems and operational technology (OT) systems. 
o    Professional services to complete these areas of the work package are expected to include expertise in OT discovery and cyber best practices to ensure compliance with state and federal guidance in this high-profile.
o    perform an initial overall review and audit of the MCS framework after development
o    Goal is to develop initial control responses and related policy and form development prior to the end of the 2025 calendar year
o    Provide estimated ongoing technical and professional support of the agency GRC for the remainder of the 2-year initial lifecycle using a pool of hours to be charged against as-needed.

- Contract Period/Term: 3 years