Specifications include, but are not limited to: The Cyber Security Assessment shall be based on the NIST Cybersecurity Framework and include, but not be limited to, a detailed review of the areas listed below. Vulnerability assessments and penetration testing should also be performed on the areas where appropriate. After completion, the vendor will be expected to provide a written report, an electronic copy of the report, and a presentation of findings. The report shall address each item listed below and provide a summary of suggested remediation (if any). Vulnerability assessments and penetration testing services will be used to identify and validate configuration and/or technical flaws within a given system or network (e.g. firewalls, routers, servers, operating systems, applications, databases, etc.). 1. Policies, procedures and standards 2. Network Device Configurations (core, edge) 3. Network Architecture 4. Wireless Infrastructure and Configuration 5. Firewall Configuration a. VPN Configuration b. DMZ Configuration 6. Server Environment and Configurations 7. Hyper-V Virtual Environment 8. Data and Information Security 9. VOIP Environment and Configuration 10. Mobile Devices 11. Desktop and Laptop Configurations 12. Physical Security In addition, the Proposer will need to provide a framework for a Cyber Resilience Program along with a Cyber Security Implementation Plan which together should include best practices guidance, needed technical configuration modifications, equipment, testing plans, and training. This plan should be tied to meeting, at a minimum, the Center for Internet Security (CIS) Controls.
