Specifications include, but are not limited to: C.3.1 Information system security assessments. The Contractor shall conduct security assessments of identified systems and environments to assess the ability of the OCFO and/or its technology partner to identify and stop any malicious behavior, data loss, or misuse of IT resources. Such assessments shall typically include: creating an inventory of all applications, data storage devices and systems, operating systems, management tools, and any other software and hardware components of the within scope systems; performing documentation reviews and conducting technical review meetings with staff at a level sufficient to determine the status of the implementation of the controls outlined in NIST SP 800-53 and assess the capabilities outlined in section C.1.1, excepting those related to physical access control and security. If any system within the scope of the assessment receives, contains, or transmits Federal Tax Information, the Contractor shall additionally perform documentation reviews and conduct technical review meetings with staff at a level sufficient to determine the status of the implementation of the controls outlined in IRS Publication 1075.
