Specifications include, but are not limited to: , is requesting information from firms with expertise in Cybersecurity Assessment. This information will assist DoIT with a potential Request for Proposal for a comprehensive cybersecurity assessment of networks and systems within the Executive Branch, State of New Hampshire. Firm will conduct a comprehensive cybersecurity risk assessment of the State's information technology environment in order to evaluate adherence to the State’s Information Security Policies and the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4. The assessment should adhere to guidance for risk assessments as described in NIST Special Publication 800-30 Revision 1, “Guide for Conducting Risk Assessments” and will include a security and risk assessment which includes at a minimum all IT of the State’s Executive Branch agencies. The assessment will use the NIST Cybersecurity Framework (see Table 1) as the reference model for organizing the final report to document information security measures and controls, findings, gaps and areas for improvement. A. Vendor shall provide all proposed project management for the assessment. B. Vendor shall perform at a minimum a security and privacy focused risk assessment based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 and 800-53 rev 4. C. Vendor shall perform technical assessment of security controls, web applications, penetration and other testing as necessary on networkconnected systems, applications, or other discovered devices. D. Gap analysis shall be performed using the NIST cybersecurity standards and the NIST Cybersecurity Framework.
