Governance and Risk and Compliance Platform

The Vendor is required to provide for a Governance, Risk and Compliance (GRC) platform to support both third-party/vendor IT risk assessments (VRM) and internal IT Integrated Risk Assessments (IRM) across a geographically distributed, federated environment.
- The platform should standardize assessment workflows, templates, questionnaires, risk analysis, tracking, and reporting, while still allowing local teams to tailor assessments to their needs and that that meet university operational and compliance requirements at an optimal cost.
- The Digital Risk and Security team at agency collaborates with locations to enhance system wide cybersecurity. 
- The team provides services to address timely and pervasive issues such as cyber security, risk assessment, data security breaches, data leakage, identity theft and system outages across organizations of various sizes and industries, with the goal of enabling ongoing, secure and reliable operations across the enterprise.
- This is intended to be made available system wide across all ten university campuses. The chosen platform will allow university locations to manage workflows for different kinds of assessments, including gathering vendor questionnaires, performing risk analysis, tracking status, and reporting. For IT teams this includes administering framework-based IT assessments, analyzing IT risk and developing actionable reports.
- Objectives:
•    At a minimum, the chosen solution should be capable of the following: 
•    Manage full lifecycle of vendor IT risk management – onboarding, assessment, off boarding
•    Manage IT risk assessments based on common cyber security frameworks
•    Provide a scalable solution to meet the needs of a geographically distributed, federated organization
•    Easily configure templates and workflows and quickly share with other locations
•    Share results of vendor assessments and risk ratings with other locations
•    Standardize vendor and IT risk assessments, workflows, templates and reports
•    Provide a secure storage location for sensitive cybersecurity documentation that allows university to comply with vendor requirements for handling their data. 
•    Build configurable, automated workflows and risk analysis, leveraging Artificial Intelligence as applicable 
•    Empower localized teams to tailor assessments based on their requirements
•    Include interconnectivity – send and receive data – from a variety of external systems such as ticketing, asset management (e.g. ServiceNow, Jira); contract lifecycle management (CLM) and other GRC platforms (e.g. OneTrust, etc.) 
•    Integration with continuous monitoring solutions for third party (e.g. Security Scorecard, Black Kite, etc.) and internal (BitSight, ServiceNow, etc.)
•    Facilitate data downloading to common, non-proprietary file types without requiring help from customer support 
•    Reduce time and redundant effort to evaluate vendor risk using customizable analysis tools
•    Improve risk visibility for multiple layers of leadership through customizable reporting dashboards and rollup reporting.

- Contract Period/Term: 5 years
- Pre-Bid Conference Date: December 10, 2025
- Questions/Inquires Deadline: December 03, 2025