The selected vendor will be expected to perform the following services: A. Licensing & Compliance 1. Vendors must be licensed to do business in Oregon. 2. Testing and gap assessments must align with NIST 800 standards. 3. Review CIT’s cybersecurity policies for alignment with NIST 800; document gaps and provide recommendations. B. Network & System Assessment 1. Conduct internal and external penetration testing, including wireless networks. 2. Perform testing during both business and after hours. 3. Confirm segmentation of systems and assess vulnerabilities across segmented networks. 4. In-scope systems include: i. ~60 servers (Windows/Linux) ii. ~500 endpoints (Windows/macOS; Linux possible in limited numbers) iii. ~350 Network devices (routers, switches, firewalls, WAPs; vendor details post-award) iv. Mobile devices in scope; MDM platform shared post-award v. IoT devices (printers, cameras; ICS/SCADA excluded) vi. Web applications (3–5 mission-critical; list post-award) vii. APIs/microservices (REST; counts post-award) viii. Databases (SQL/NoSQL; platforms include Microsoft SQL Server) ix. Domain Service (Active Directory ADDS) x. Cloud platforms (Azure AD, Microsoft 365, hybrid environment) xi. SaaS applications (e.g., O365, HR, Finance apps) xii. Third-party/vendor-connected systems
