Specifications include, but are not limited to: 2.01 Scope The Consultant shall conduct a Cybersecurity Risk Assessment that focuses on the City’s IT environment and security management practices. The City is prepared to provide the information necessary in order for the Consultant to thoroughly assess the current environment, such as policies and other applicable documents, and meetings with key staff members. The Consultant shall use the information obtained to evaluate the City’s current environment against standards of practice, such as the NIST Cybersecurity Framework (CSF) and any other necessary regulatory requirements. The assessment will need to identify potential security gaps within the City’s current environment and provide direct objectives and prioritized recommendations for improvement. The City intends to award the Contract to the proposer that is able to provide the focused assessment, and any other value-added cyber security-related services, within the available budget identified in Section 1.05 and by the Final Deliverables Due deadline identified in the Schedule in Section 1.02. 2.02 Deliverables All tasks, services, scope, and deliverables will be further defined and agreed upon between the City and the selected Consultant, but the desired outcome includes, but is not limited to: A. Results documented on a spreadsheet with each risk identified and rated as high, medium, and low; B. An executive summary documenting overall severity of findings and risk exposure; C. A 2-year road map with prioritized recommendations for remediation to improve overall security posture; 2.03 Value-Added Services The City is interested in any value-added services that may be available and not specifically identified above, including: A. Services or tasks that could be completed and remain within the budget limitations identified in Section 1.05 B. Services or task that could be added at an additional cost, if additional funding were to become available.
