Post Content

ITS78 Shield and Lock on Ones and Zeros Background

Given today’s dynamic cybersecurity landscape, it is essential for organizations to have plans and protections in place to secure their data and IT infrastructure, and the Operational Services Division, in collaboration with experts from around the Commonwealth, is pleased to offer comprehensive tools to address cybersecurity for organizations large and small.

The new ITS78 Data and Cybersecurity Statewide Contract provides a selection of experienced and qualified vendors to address all facets of cybersecurity, including baseline assessments, planning, solutions implementation, and breach remediation. The ITS78 contract, launched July 1, complements a variety of resources available to Commonwealth agencies and municipal organizations (see cover story: Coordination and Collaboration: The Commonwealth’s Cybersecurity Response).

The ITS78 Contract User Guide is expected to be available on August 23. In the meantime, send contract questions to Contract Manager Marge MacEvitt.

ITS78 Category Descriptions and User Scenarios

Category 1

Full range of data and cybersecurity audits and compliance reviews and related consulting services, including best practices, gap analysis, scorecards, compliance with internal and external controls (e.g., internal process and procedures, HIPAA, IRS, PII, CJIS), and control validation.

When to Use: For organizations in the early stages of cybersecurity planning, Category 1 is a good entry point, with awarded vendors providing a baseline cybersecurity readiness assessment. Vendors are available to audit and assess organizations’ practices, infrastructure, and compliance with federal, state, other applicable laws and rules; uncover vulnerabilities and irregularities; and make recommendations for improvement. Category 1 also may be helpful in assessing changes to existing configurations and requirements. Examples of such changes could be infrastructure, vendors, policies, and procedures, or legislative.

Category 2

Risk assessments as they relate to internal and external (third party) components. Services include risk management strategies, quality assurance audits, cloud security, vendor security, and data security management.*

When to Use: Category 2 offers risk assessments when organizations implement significant changes to hardware or software infrastructure. Examples include a new application or server, adding cloud services, or introducing a new IT service provider. Awarded vendors review the new environment and report on possible data and security risks.

Category 3

Cybersecurity testing and readiness services including external/ internal penetration testing, physical security assessments, social engineering assessments, vulnerability assessments, application testing, network security assessments, endpoint security assessments, tabletop exercises, identity and access management assessments.*

When to Use: Vendors awarded to Category 3 provide assistance with assessing the organization’s readiness for real-world cyber events, e.g. password cracking, cyber hacking, ransomware,
and phishing to ensure security protocols perform as designed. Vendors essentially attempt to “break into” the network environment to identify vulnerabilities and suggest actions to prevent actual breaches.

Category 4

Information Security and Cybersecurity Incident Response services, including emergency incident response services, incident containment, mitigation, remediation, internal and external communications and required notifications, forensic investigations, managed threat detection and response. Contractors are prepared to engage within 24-48 hours, 7 days a week, and implement incident response protocols as negotiated by the buyer.**

When to Use: When an organization believes that a cyber event may have taken place, vendors in Category 4 are available to assist with response efforts, including crisis management, business continuity, and communications strategy, among others.

Related Cybersecurity Statewide Contracts

» ITS74 IT Project Services – Although ITS78 vendors may be able to implement suggested remediations, ITS74 vendors offer various consultation services to support the security of computer networks
» ITC73 IT Hardware and Services – Offers encryption devices, firewalls, and two-factor authentication tokens, among other hardware security tools
» ITS75 Software and Services – Offers network security monitoring tools, antivirus and anti-malware software, encryption tools, two-factor authentication software, software to replace end of life applications, among other software resources
» ITS60 Cloud Services – Offers Cloud Solutions and related services

* State agencies requiring engagement under this category must coordinate with and gain the approval of the Office of the Commonwealth Chief Information Security Officer (CCISO).
** State agencies requiring engagement under this category must coordinate with and gain the approval of the Office of the Commonwealth Chief Information Security Officer (CCISO) to ensure that Enterprise systems are not at risk.

Written By:

Tags: , , , , , , ,

Recent Posts

Massachusetts: Leader in Sustainable Electronics Procurement posted on Sep 24

Massachusetts: Leader in Sustainable Electronics Procurement

  Once again, Massachusetts has been recognized for its leadership in offering sustainable electronics choices on Statewide Contract through the annual EPEAT Purchaser Award. The Electronic Product Environmental Assessment Tool, or EPEAT, enables organizations to address the lifecycle impacts of electronics purchases, such as computers,   …Continue Reading Massachusetts: Leader in Sustainable Electronics Procurement

OSD QA Program Changes posted on Sep 9

OSD QA Program Changes

The Operational Services Division (OSD) revised and updated the OSD Quality Assurance (QA) Program to ensure that Executive Departments’ procurement files are accurately captured and maintained in COMMBUYS. These changes went into effect on July 1. The QA Program is a key element in the   …Continue Reading OSD QA Program Changes

Supplier Diversity Program and Small Business Purchasing Program Changes Take Effect. posted on Aug 26

Supplier Diversity Program and Small Business Purchasing Program Changes Take Effect.

On June 28, the Operational Services Division (OSD) and the Supplier Diversity Office (SDO) issued a joint policy memorandum that introduced new policies for the Supplier Diversity Program (SDP) and Small Business Purchasing Program (SBPP) and Guidance for Evaluating Large and Small Procurements, which took   …Continue Reading Supplier Diversity Program and Small Business Purchasing Program Changes Take Effect.