Specifications include, but are not limited to: 1. Offeror shall conduct a cybersecurity risk assessment as follows: a. Measure the Judiciary’s implemented controls and practices against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) control categories including: (1) NIST CSF categorical controls and standards to assess organizational maturity. i Govern, ii Identify, iii Detect, iv Protect, v Respond, and vi Recover. (2) Use of Capability Maturity Model Integration (CMMI) rating definitions when scoring controls as follows: i 0 – Non-Existent, ii 1 – Performed, iii 2 – Managed, iv 3 – Defined, v 4 – Measured, and vi 5 – Optimized. (3) Controls in NIST 800-53 and NIST 800-171. (4) Review of NIST CSF assessment data from previous years to measure year-overyear performance. b. Offeror shall use a combination of the following techniques/methodology to complete the assessment: (1) Staff/personnel interviews, (2) Questionnaires, (3) Requests for documentation, (4) Specific supporting evidence, (5) Workbooks, (6) Reports, and (7) Other pertinent information relevant to the assessment. c. If NIST assessment requirements or control frameworks are modified during the course of this cybersecurity assessment, the Offeror shall update the assessment to include any new/modified requirements or control frameworks. If the modifications require a modification to the level-of-effort by the Offeror, the AOC will work with the Successful Offeror on a mutually agreeable change order.