The vendor is required to provide for on-call professional services related to all cyber security areas.
- Provide on-call professional services to support its mission to maintain secure, resilient, and compliant IT environments.
- The selected contractor(s) must demonstrate expertise across a broad spectrum of cybersecurity domains and provide services on an as-needed basis under a task order or project-specific basis.
- Services must span the full cybersecurity lifecycle, including strategic planning, assessment, design, implementation, optimization, and incident response.
- Services are categorized across the following:
• Strategize – align business and IT objectives; quantify benefits, develop it strategy
• Assess – identify current and future states; enhance people, process, and platform readiness
• Design – create the solution design, integration plans, and operating procedures
• Deploy – implement, integrate, configure, test, and validate the overall solution design
• Optimize – analyze and improve the existing environment and transfer best practice knowledge
- List of areas for security include, but are not limited to:
• Security strategy
• CISO on-demand
• Virtual CISO
• Compliance and gap analysis
• Security risk and maturity assessment
• Policy and procedures
• NIST cyber security framework
• NIST 800-53
• ISO 27001
• CIS controls
• Security architecture review and design
• Cloud and IOT security architecture
• Segmentation strategy
• AD security analysis
• PKI security assessment
• Firewall analysis
• Threat modeling and risk assessments
• Secure engineering frameworks
• Source code security
• Application of security requirements design
• Web app vulnerability assessments
• Assessments on third party vendors
• Systems hardening
• Hardened networks
• Network segmentation
• Secure data center
• Secure cloud
• Security controls for the following
o Infrastructure security
o Data security
o Identity security
o Endpoint security
o Security ops
• Audit for threat hunting and continuous testing
• Compliance audit i.e., PCI
• Baseline security assessment
• Penetration testing i.e., external/internal
• Red teaming
• Social engineering
• Incident response
• Incident forensics
• Root cause analysis
• Customized training
• Cyber insurance policy review and guidance.
- The total budget for all contracts combined will be $3,750,000.
- Contract Period/Term: 3 years
- Non-Mandatory Pre-Proposal Conference Date: May 27, 2025
- Questions/Inquires Deadline: June 10, 2025
