he selected vendor shall: Provide installation/configuration for the GRC solution (Phase 1) - Baseline configuration to consider the product “delivered”: Provide confirmation of licensing to include the following features: Risk Register & Risk Scoring Asset Inventory Policy Management/Repository Control Management/Repository Compliance Tracking on a per-Framework and per-Control level Audit & Reporting Dashboards Business Impact Analysis Management/Repository Implement the following security frameworks with blank implementation details for QAC to complete: Maryland State Minimum Cybersecurity Standards 2023 (MD MCS) ISO 27001: Information Security, Cybersecurity and Privacy Protection NIST CSF 2.0: Cybersecurity Framework Provision accounts and configure multi-factor authentication for selected QAC users Hosting: Preferred SaaS/Cloud-based with the following requirements: Ensure data residency within the continental USA Support FIPS 140-2 validated encryption both in transit and at rest Provide a current SOC 2 Type II report Provide validation of current FedRAMP Moderate or higher authorization for the cloud provider Provide assurance of the capability to implement additional frameworks in the future, such as: CIS Controls NIST AI NIST Privacy Framework NIST SP 800-82 for Operational Technology Provide a support plan for ongoing development and support to the County (Phase 2) Identify and develop templates for all policies and forms identified within the MD MCS framework and provide to the county for customization and implementation Collaborate with the County cybersecurity team to develop Business Impact Analyses for the 23 departments in the county Collaborate with the County cybersecurity team to develop MD MCS control responses through weekly meetings to answer questions and review QAC-developed responses BIA and control responses include business systems and Operational Technology (OT) systems. Professional services to complete these areas of the work package are expected to include expertise in OT discovery and cyber best practices to ensure compliance with state and federal guidance in this high-profile sector. Perform an initial overall review and audit of the MD MCS framework after development Goal is to develop initial control responses and related policy and form development prior to the end of the 2025 calendar year Provide estimated ongoing technical and professional support of the QAC GRC for the remainder of the 2-year initial lifecycle using a pool of hours to be charged against as-needed
