Cybersecurity Risk Assessment

Minimum Qualification:

The Offeror, either through its own performance or the performance of the Key Personnel identified in this Small Procurement, must have five (5) years of experience performing cybersecurity risk assessments of similar size and scope.

Required Experience:

• Demonstrated background, expert knowledge, and experience in information security, risk management, security compliance, and project management in a large scale enterprise environment.
• Ability to understand the Judiciary’s technical and business environment and have working knowledge of security standards, an in-depth knowledge of the NIST CSF functions, categories, and subcategories.
• Communicate effectively with all levels of Judiciary staff, management, and executive management, both orally and in writing and effectively tailoring the communication to the needs and experience of the intended audience.
• Interface effectively with internal and external auditors.
• Excellent interpersonal skills. High degree of professionalism and personal integrity.
• Maintain high level of confidentiality.
• Work well under pressure and with a high degree of independence.
• Assess potential problems and make sound judgements around issues that may have an adverse effect on the Judiciary.
• Effectively set and manage priorities.
• Critical thinking skills with strong attention to detail and follow up.
• Leadership and management skills to include team building, collaboration, problem solving, deductive reasoning, and negotiation.
• Self-motivated and directed.
• Skilled in handling sensitive documentation, situations, and people.

Responsibilities:

• The Successful Offeror shall work with Judiciary Information Security Project Management; the Governance, Risk, and Compliance (GRC) team; and Information Security Officer to create and execute the assessment, identify risks, report progress, and track responses and issues.
• If NIST assessment requirements or control frameworks are modified during this cybersecurity assessment, the Successful Offeror shall update the assessment to include any new/modified requirements or control frameworks.
• If the modifications require a modification to the level-of-effort by the Successful Offeror, the AOC will work with the Successful Offeror on a mutually agreeable change order.

Cybersecurity Risk Assessment

The Successful Offeror shall conduct a cybersecurity risk assessment as follows: Measure the Judiciary’s implemented controls and practices against the NIST CSF version 2.0 control categories to include:

i Govern,

ii Identify,

iii Detect,

iv Protect,

v Respond, and

vi Recover.

Conduct a CSF Implementation Tiers assessment on the degree to which overall cybersecurity risk management practices are incorporated into Information Technology processes and improvements made since the last assessment was performed. The Implementation Tiers include:

(1) Tier 1 – Partial,

(2) Tier 2 – Risk-Informed,

(3) Tier 3 – Repeatable, and

(4) Tier 4 – Adaptive.

Perform a mapping matrix of the NIST standards being met and link those standards to the most recent version of:

(1) NIST 800-171 controls, and

(2) NIST 800-53 controls.

Conduct a review of NIST assessment data from previous years to perform a gap analysis and measure year-over-year performance and build upon previous year assessment results.

Validate the existence and effectiveness of cybersecurity controls through documentation review, interviews, questionnaires, and supporting evidence rather than solely relying on policy review.