In a request for proposals (RFP) issued Monday, the council seeks a vendor to help “courts and the Judicial Council assess compliance with information systems security controls that are in place, identify vulnerabilities, determine risks from any gaps identified, provide recommendations on how best to address these vulnerabilities, assist with remediation, [and] review and standardize information technology policies and procedures, with an overall goal of optimizing the Judicial Council’s information systems controls.”
The vendor would also be asked to participate in forums within the judicial branch.
Any contract would have an initial term of three years, with the council having an option for two one-year extensions with a “qualified service provider with sufficient expertise in information security, cybersecurity, information technology governance, security governance, risk management, compliance and reporting, and program management to meet the needs identified.”
The RFP notes that “engagement with a court should be a collaborative effort meant to help prepare the entity for the information technology and information security components of an audit, rather than an engagement that is itself performed in the style of an audit.” The vendor would “consult and assist in the implementation of recommendations and/or remediation findings, rather than the simple performance of a discovery/review process and the reporting of findings without follow-on support.”
The focus of the project is delivering services to about 45 small and mid-sized courts that have fewer than 300 employees. The vendor “will be expected to work primarily with an executive contact and an IT contact within each court in delivering these services,” the RFP says, adding that the contractor should expect to be engaged with multiple courts at a time in parallel, rather than engaging in a dedicated effort with a single court before commencing work with another court. “This could potentially mean the contractor is serving three to five courts at any given time,“ the RFP notes.
In addition, the vendor may be asked to perform an IT risk assessment within the judicial branch, which would require the vendor to “review compliance with information systems security controls or subsets of controls, provide testing of specific controls where applicable or warranted, determine risks resulting from any gaps identified, and recommend how best to address any gaps or risks identified in this process,” the RFP says.
The vendor would “participate in an ongoing judicial branch effort to collect, standardize and templatize” existing IT policies and procedures. “This effort is to include administration of an existing centralized information technology policy and procedure library consisting of document sets submitted from various judicial branch entities, the maintenance of a set of reference policies, standards, procedures and other related items that judicial branch entities may use as a resource in the development of their own local documentation.”
The vendor may also be asked to provide:
- Information security consulting services
- Information systems policy and procedure development, review and revision
- Standards-based risk assessments, controls reviews and testing
- Both black and gray box penetration testing
- Information systems process reviews and process engineering
- IT project reviews in support of the identification of potential points of failure
- Prepare and deliver information security-related training
An overview of the project and background information is available online. The deadline for vendors to submit questions via email is 1 p.m. May 12, with responses posted around May 19. The deadline for proposals is 1 p.m. May 26.