Business Impact Analysis Disaster Recovery Plan and Business Continuity Plan Services

The vendor is required to provide business impact analysis (BIA), disaster recovery plan (DRP), and business continuity plan (BCP) services to enhance organizational resilience, ensure operational continuity, and mitigate potential disruptions to critical business and operations functions.
1. Business impact analysis (BIA)
•    Conducting a comprehensive business impact analysis to identify critical business and time sensitive functions and processes and the resources that are required to support them. 
•    Leveraging and reviewing existing documentation. 
•    Determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. 
•    The BIA will quantify the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOS), maximum tolerable downtime (MTD) and recovery point objectives (RPOS). 
•    These recovery requirements will then be used to develop strategies, solutions and plans, including Dr and BCP plans. 
•    Ranking the relative recovery priority of each function based on the strategic and business objectives of the organization. 
•    Identifying and documenting key business partners and external connections necessary to conduct agency business for the purpose of plan development and implementation. 
•    Conduct two-hour (2) workshops with each of the fourteen (14) departments to gain an understanding of the business processes. 
•    Certain departments may require multiple workshops up to a total of twenty-five (25). 
•    It is expected that additional workshops will be needed to finalize the business impact analysis with the management and senior leadership team (at least two workshops)
2. Disaster recovery plan (DRP)
•    Review the agency’s existing disaster recovery plan and supporting documentation.
•    Identify critical infrastructure, it and OT systems, and data required for the resumption of operations. 
•    Develop strategies and procedures to restore critical functions and minimize downtime.
•    Updating the existing Dr plan to be an effective, well-defined, easy to follow and appropriately sized plan.
•    Recommending a governance and team structure to coordinate agency wide disaster recovery strategies. 
•    Design a framework for assessing, testing, and refining the Dr plan on an ongoing basis. 
•    The plan is to align with national cybersecurity priorities by integrating comprehensive risk assessments, adhering to CISA and NIST standards, setting performance goals, and implementing robust training and planning. 
•    Ensure the plan includes clear protocols consistent with the NIST risk assessment framework to streamline incident response, recovery, and protect critical infrastructure against cyber threats. 
•    Facilitate a tabletop exercise to test the updated plan and identify gaps in response capabilities.
3. Business continuity plan (BCP)
•    Recommending a governance and team structure to coordinate agency wide business continuity strategies. 
•    Developing a well-defined, easy to follow and appropriately sized business continuity plan based on the business impact analysis and other findings that identify and address recovery strategies for major threat scenarios (natural, cyber or man-made) that could affect the agency’s operations. 
•    The continuity plan shall include strategies to continue critical and time sensitive processes identified in the impact analysis. 
•    The plan must identify and prioritize essential functions to be continued under all circumstances and the departments, agencies, and organizations with primary responsibilities for those functions. 
•    The plan will be developed in alignment with the act continuity guidance circular (CGC) and act business continuity planning framework, ensuring compliance with national standards and integration with local and state emergency management systems. 
•    Facilitate a tabletop exercise to test the updated plan and identify gaps in response capabilities.

- Contract Period/Term: 3 years
- Pre-Proposal Conference (Non-Mandatory) Date: September 10, 2025
- Questions/Inquires Deadline: September 15, 2025