The vendor is required to provide cybersecurity monitoring services must align with the national institute of standards and technology (NIST) cybersecurity framework (CSF).
- In an effort to further protect our information systems, authority would like to partner with an established cybersecurity firm to provide both proactive and reactive solutions that align with NIST CSF core functions across authority IT environment including:
• Comprehensive monitoring of endpoints
• Networks and servers
• Microsoft 365 resources - Monitoring and response coverage will need to be available 24 hours a day, 7 days a week, 365 days a year.
- Duties and responsibilities:
• Assign a project manager as the primary point of contact with authority.
• Initiate, document and maintain a comprehensive security monitoring program aligned to NIST CSF standards to ensure compliance with applicable data security laws, policies and regulations.
• Ensure documentation, electronic files, and data are developed, used, and maintained in a secure manner, protecting the confidentiality of all materials, records and files.
• Provide innovative, adaptable and continuous service upgrades aligned with evolving threats.
• Provide detailed information on any artificial intelligence (ai) to be used.
• Include information on how any specific ai proposed will enhance detection and response capabilities.
• Provide a solution that will integrate with current authority systems.
• Provide a service level agreement (SLA) defining explicit metrics measurable with the NIST CSF core functions to ensure effective monitoring, response times and remediation processes.
• Provide all labor, equipment, software and materials necessary to complete the specified work scope in a safe and legal manner.
• All work shall be performed in accordance with the highest standards of quality for such work.
- Service:
1. Vulnerability management
a. Continuous scanning
• Automated scanning of the IT environment to identify vulnerabilities such as outdated software, misconfigurations or other security gaps that can be exploited.
b. Vulnerability assessment
• Regular reports available through a live dashboard identifying, quantifying, and prioritizing vulnerabilities in the environment.
c. Asset identification
• Build upon the current authority IT asset repository to identify and classify assets and help understand the organization's risk profile. 2. Endpoint and network security
• Validate and implement, as needed, measures to secure authority endpoints, network and the microsoft 365 environment.
3. Incident detection
a. Continuous real-time monitoring
• 24/7 surveillance to detect potential threats and suspicious activity in real time.
• Provide unified threat visibility across all security layers preferably through a real time accessible dashboard.
b. Threat detection
• Utilize advanced tools to be proactive in identifying and known and unknown threats.
c. Threat hunting
• Proactive searches for hidden or advanced threats that might bypass traditional detection methods.
3. Incident response & reporting
a. Incident response
• Coordinate response efforts across relevant teams and stakeholders according to authority policy and procedures, ensuring clear communication and collaboration to contain threats quickly, minimize damage and prevent future spread.
b. Incident reporting
• Document and report security incidents following established procedures, ensuring accurate and comprehensive reporting for further analysis and response.
c. Forensic analysis
• Investigate incidents after they occur to determine root causes, attack vectors, and potential impact on systems and data to help prevent similar events in the future
4. Recovery and remediation
a. Remediation guidance
• Advice and actions based on vulnerability assessment reporting to help correct systems in a timely manner
b. Post incident analysis
• Execute and maintain recovery procedures, and incorporate lessons learned from past incidents into future planning.
- Data and information
• data ownership: all information collected and/or processed belongs to authority and cannot be sold or Shared with any other entities without explicit permission from authority.
• All software code, algorithms and service design would remain the property of the service provider.
• Data residency: all authority information must be kept within the country.
• Data retention: all authority information must be deleted or returned to authority when services are terminated.
• Data compliance: vendor will need to comply with all data regulations such as CJIS, PCI, PII and the state of retention requirements.
• Audit rights: authority reserves the right to audit the vendor’s practices in relation to authority data and services.
- Contract Period/Term: 2 years
- Questions/Inquires Deadline: May 22, 2025
