In a request for quote (RFQ) released Sept. 22, the State Controller’s Office (SCO) seeks responses from companies capable of providing it with IT testing and assessment services on SCO systems, applications and its network. The office is helmed by state Controller Malia M. Cohen, whose duties include responsibility for accountability and disbursement of state financial resources; safeguarding unclaimed property; auditing government agencies that spend state monies; and administering state and California State University payrolls. Among the takeaways:
- The IT testing and assessment services sought must also include consulting services with the contractor working directly with SCO to determine any remediation and follow-up IT testing and assessments. All services shall ensure SCO compliance with its own security compliance standard — as determined by SCO security standard assessments. IT testing and assessment services provided should fall into three categories: penetration testing, California Military Department (CMD) independent security assessments, and SCO security standards assessments. Services must be done both remotely and onsite, with the latter category being done at an SCO facility. All remote services must be done within California. The contractor must supply at least one full-time staffer for 40 hours per week, except state holidays, who is completely trained in doing IT testing and assessments.
- Penetration testing, a.k.a. ethical hacking or pen-testing, is a proactive assessment intended to identify computer system, network or application vulnerabilities. It will involve simulating real-world cyber attacks to evaluate SCO’s security posture, with the goal of uncovering possible security flaws before their exploitation, enabling the office to mitigate risk and strengthen its defenses. The CMD independent security assessments are referred to as an Assembly Bill 670 assessment, a reference to the 2015 bill with requirements on such examinations. The ISA is a technical assessment of a state entity’s network and web apps with the goal of determining security vulnerabilities and offering implementable actions to guard against breaches. The SCO security standards assessments testing will involve evaluating SCO security controls against its own minimum compliance criteria and discretionary security requirements, and against established industry frameworks. This process is intended to ensure SCO meets minimum-security standards, and allow customized enhancements based on its specific needs and risk profiles.
- Requirements include that respondents must have done IT testing and assessment services for at least one corporation or state agency during the last two years. Key respondent staff must have done IT testing and assessment services for at least one corporation or state agency during the last two years. Desirable qualities for staff include having one or more certificates including Global Information Assurance Certification (GIAC) as an Exploit Researcher and Advanced Penetration Tester, and being an Offensive Security Experienced Penetration Tester or a GIAC Penetration Tester. Another desirable quality for staff is having done IT testing and assessment services for corporations or state agencies beyond the minimum qualification during the last two years. Respondents must provide three references who can attest to the respondent’s experience in doing similar services and give an objective performance assessment, as well as three references who can do the same for key staff.
- The precise value of any agreement isn’t stated; the agreement term will be three years with SCO reserving the right to amend. Any agreement may be terminated by SCO with 30 days’ written notice. Questions are due by 5 p.m. Tuesday, with responses coming Thursday. Bids are due by 2 p.m. Oct. 17 and will be evaluated Oct. 18-25, with mandatory interviews Oct. 26-27. A notice of intent to award is expected Oct. 31, and an award date Nov. 8. The anticipated contract start date is Jan. 1.
