Specifications include, but are not limited to: • Task 1 (Deliverable) – Project schedule. The Supplier shall develop a project schedule detailing all tasks required to complete this project. The schedule shall include tasks for County review of submitted deliverables. • Task 2 (Deliverable Report) – Requirements Trace Document (Appendix A) completed with Supplier proposed mapping to NIST 800-82 Appendix G • Supplier shall examine the NIST Special Publication 800-82, Appendix G (ICS Overlay) and submit their proposed mapping of the controls listed NIST 800-82 Appendix G to the NIST Cybersecurity Framework (Version 1.1) and Privacy Framework (Version 1.0) categories and subcategories utilizing columns E of the Cybersecurity Security Framework tab and column I of the Privacy Framework tab of Appendix A to this RFP. Any proposed exclusion or tailoring of the controls included in NIST 800-82 Appendix G must be explicitly detailed with the Supplier’s rationale provided in the deliverable report. • Task 3 (Deliverable Report) – Requirements Trace to Proposed Policy Development • Upon receipt of the County’s concurrence with the mapping included in the Supplier’s submittal of Appendix A, the Supplier shall submit a report detailing their proposal for the development of all policies required to comply with the controls detailed in Appendix A. • The report shall include a mapping of the specific NIST 800-53 controls from Appendix A to the appropriate section of the table of contents for each of the proposed policies. The newly developed policies are intended to address all County owned information systems, inclusive of SCADA and ICS systems. Policy guidance that is specific to SCADA or ICS systems shall be detailed as such within the content of each newly developed policy.
