Cybersecurity Assessments: At the Agency’s request, the Contractor shall conduct basic assessments of cybersecurity practices for Ohio companies. The assessment shall conform to the NIST SP 800-171 Assessment, or an equivalent standard suitable for small businesses, and shall include communicating directly with the companies, reviewing their existing cybersecurity practices, identifying deficiencies in their current cybersecurity practices, and scoring their cybersecurity practices per the NIST SP 800-171 Assessment. Cybersecurity Documentation: At the Agency’s request, the Contractor shall prepare cybersecurity documentation for companies who have undergone and completed a cybersecurity assessment. Documentation may include System Security Plans (SSP), Incident Response Plans (IRP), and/or Plan of Action or Milestones (POAM) depending on whether companies already possess such documentation. In the case companies possess an SSP and IRP, the Contractor shall review the documentation and provide revisions/updates as appropriate. The development of effective documentation will create a “roadmap” for companies to improve their cybersecurity practices beyond this assistance program. Defense Contractor Assistance: At the Agency’s request, the Contractor shall provide assistance to companies who perform or intend to perform on U.S. Department of Defense contracts. Assistance to defense contractors shall include registering and/or navigating the Supplier Performance Risk System (SPRS), upload of a company’s self-assessment score, and providing guidance on compliance with FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021. General Inquiries, Assistance and Servicing: The Contractor shall respond to general cybersecurity inquiries related to the geographic region(s). These may include, among other things, providing qualified referrals for legal and other professional services to Ohio companies; informing the Agency of any cybersecurity development opportunities that arise through the year. Additionally, the Contractor may be asked to provide reasonable nonproprietary support to Ohio companies that have encountered problems or have questions in the geographic region(s). Quarterly/Annual Reports: The Contractor shall submit a quarterly report to the Agency detailing content and results of work assisting Ohio companies. The report should include the number of companies assisted, status of the assistance, Self-Assessment score and any additional information requested by the Agency. The Contractor shall provide monthly invoices detailing the hourly service breakdown for each company assisted. The Contractor shall also provide the Agency with an annual report summarizing all cybersecurity assistance and other activities engaged in by the Contractor in the region(s). Closeout Meeting: The Contractor shall facilitate a meeting upon conclusion of providing assistance to each company. This meeting will be in coordination with the company’s respective local business assistance center (Small Business Development Center and/or APEX Accelerator) and will include but not be limited to the following discussion points: recap of assistance provided to company, company’s cybersecurity weaknesses and recommendations for improvement, and recommendations for the company to continue improving its cybersecurity practices through the support of its local business assistance center.
