The Wisconsin Department of Health Services (DHS) is seeking proposals for a security assessment Supplier and intends to use the results of this RFP to award a Contract. The Department of Health Services does not guarantee to purchase any specific quantity or pay any minimum Contract price during the term of the Contract. Proposals that require a minimum number of commodities or services be ordered will be disqualified. A security assessment is a measurement of the security posture of a system or organization (Miles, Rogers, Fuller, Hoagberg, & Dykstra, 2004). Security assessment is a consultative service and includes passive review, hands-on examination, and/or application and infrastructure testing. Information learned through the security assessment may be used to meet Federal, State, or other requirements and influence Information Technology (IT) decisions. A qualified Supplier will have a wide breadth of topical knowledge, access to specialized toolsets, and an economy of scale making available the best staff to perform the services necessary including: • Security assessment methodologies and best practices • Multiple security regulations and frameworks • Federal and State compliance • Employing technical and non-technical testing and analysis methodologies • Ability to test a multitude of technologies including cloud, on premise, network, infrastructure, and application • Measuring and reporting risk • System and Security Plans (SSP) The initial scope, and only pre-defined work awarded through this Contract, will be for the annual security assessment of DHS’s eligibility and enrollment system, Client Assistance for Re-Employment and Economic Support (CARES). This assessment is required by the Centers for Medicare and Medicaid Services (CMS) on a yearly basis to obtain/keep our Authority to Connect (ATC). This assessment is based NIST Special Publication 800-53 rev. 5 standards k and guidance within CMS’s Framework for the Independent Assessment of Security and Privacy Controls. The initial scope, and all other work resulting from this Contract must go through a Statement of Work (SOW) process approved by both the Supplier and DHS. Both the initial CARES work and any additional as needed work will be based on the blended hourly rate as proposed on Attachment A – Price Sheet. The need for third party security assessment is not limited to CARES. The services covered by the Contract resulting from this RFP will be beneficial to other information systems. These services are expected to ramp up as the Contract progresses. DHS owns and manages more than 500 systems varying in size, age, and sensitivity.
