A. Infrastructure Assessment The vendor must conduct a detailed evaluation of: • Network topology, redundancy, and equipment lifecycle. • WAN and VPN performance, remote access optimization, and encrypted traffic load. • Network latency, bandwidth utilization, packet loss, and end-user experience metrics. • Wi-Fi density, coverage modeling, and interference detection in each building. • Server and storage configuration, virtualization efficiency, redundancy, and backup integrity. • Endpoint imaging standards, patch management compliance, asset inventory accuracy, and lifecycle status. • Zero Trust Network Architecture (ZTNA) alignment and network segmentation and access models. • Hybrid cloud architecture readiness and integration with Oregon state systems or other agency partners. • Backup and disaster recovery strategies, recovery point objectives, and recovery time objectives. • Business impact analysis (BIA) to align infrastructure resilience with program critical functions. B. Cybersecurity and Compliance The engagement must include: • Assessment of Firewall rulesets, antivirus, Endpoint security, intrusion detection (IDS/IPS), log monitoring retention. • Review of PHI handling practices and HIPAA compliance alignment, encryption standards, and secure data destruction. • Vulnerability scanning and penetration testing (internal and external), email security posture, endpoint detection and response (EDR), and cloud identity management. • Evaluation of identity and access controls, MFA enforcement, privileged access management, and IAM policies.
