Cybersecurity Services CSS State and Local Cybersecurity Grant Program SLCGP

WOC Attachment 1, Statement of Work

1. Introduction

The primary purpose of the CSS State and Local Cybersecurity Grant Program (SLCGP) Project is to support the application for and management of federal SLCGP funds for Oregon (State), local governments, rural areas, and special districts. Funds are used to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local governments, rural areas, and special districts. Each State, local government, rural area, and special district must manage its cybersecurity program funds in accordance with a federally approved State cybersecurity plan. The purpose of the State's cybersecurity plan is to provide a strategic and coordinated approach to enhance the cybersecurity posture of State, local governments, rural areas, and special districts, and to allocate resources effectively to address cybersecurity challenges and protect critical information assets.

EIS Cyber Security Services requires the services of a contractor to support implementing and updating the current Oregon Cybersecurity Plan (see Attachment 2 of this WOC; also referred to as the "State Cybersecurity Plan" or "Cybersecurity Plan") to help build a State and Local Cybersecurity Grant Program (SLCGP) for Oregon. This project may include additional work to support grant management and reporting activities.

The selected Contractor will provide Services for this Project under the WOC.

1. Acceptance Process for Deliverables:

Section 2.5 of Contract #9436 applies to this WOC, except that Contractor must re-deliver corrected Deliverables to Authorized Purchaser under Section 2.5.1.6 within 10 business days. A preliminary version of all Deliverables should be submitted to Authorized Purchaser for review and feedback prior to finalizing the Deliverable.

1. Assumptions:

1. Project Description: EIS is responsible for managing the Cybersecurity Plan. The Oregon Department of Emergency Management (ODEM) will manage the related funding as part of the Cybersecurity Plan. The SLCGP Project will provide how the State will work with ODEM, local governments, rural areas, and special districts to implement the Cybersecurity Plan.

1. Standards and Framework: The SLCGP Project will adhere to guidelines, best practices, and methodologies that are used to manage cybersecurity risks, e.g. National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) Critical Security Controls, ISO/IEC 27001.

This Project will maintain the completed Cybersecurity Plan that has been validated by DHSCISA and implement the Cybersecurity Plan that is operational for all eligible State local governments, rural areas, and special districts.

1. Project Goals: The goal of the SLCGP Project is to help state, local governments, rural areas, and special districts address cybersecurity risks and cybersecurity threats.

1. Overview of Services:

Contractor shall deliver Services in accordance with this section, the WOC, and provisions of Contract #9436 applicable to this WOC.

1. Administrative Tasks and Approach to Work:

1. Contractor shall create a Project Plan and Schedule that outlines the tasks, milestones, timeframes, responsibilities, decision points and methodology to complete the outlined scope and assure completion of all tasks within the expected timeframe. This plan and schedule will serve as the basis against which the Contractor's performance will be measured.

1. Contractor shall complete the appropriate Deliverables. Contractor shall participate in daily and weekly planning and review meetings.

1. Contractor shall follow EIS and SLCGP Project standards including the naming conventions.

1. Primary Tasks:

Task 1: Project Management and Reporting.

Contractor shall provide all aspects of project management for its Services provided under this WOC. This specifically includes:

1. Participate in Project Kick-off session. The purpose of the kickoff meeting is to confirm mutual understanding of the overall SLCGP Project, the scope of this engagement, and clarification of expectations. Following execution of this WOC, Authorized Purchaser will schedule an initial kick-off session, and Contractor's team will attend and participate in this review of the Project scope and expectations. Following the meeting, Contractor shall provide written synopsis of the kick-off meeting.

2. Contractor shall engage Authorized Purchaser's SLCGP Project Team and create a Project Plan and Schedule that outlines the Tasks, Milestones, timeframes, responsibilities, decision points and methodology to complete the outlined scope and assure completion of all Services within the expected timeframe.

3. Contractor shall provide written status reports, SLCGP Project Team-requested updates to the Project Plan and Schedule, and meet with CSS Project Manager/Sponsor weekly or otherwise as requested by Authorized Purchaser.

Task 1 Deliverables:

Deliverable 1.A: Kickoff Meeting Synopsis. Contractor shall deliver a written summary of the kick-off session. This Deliverable must include at least an agenda, summary of action items, responsibilities, meeting minutes, and timelines. This Deliverable must be written to a level of detail that will convey mutual understanding of the scope and expectations of the engagement.

Deliverable 1.B: Project Plan and Schedule. Contractor shall develop and deliver a Project Plan and Schedule no later than 10 business days following the Acceptance of Deliverable 1.A. This Deliverable must reflect at least the following items:

1. Vision of how Contractor and SLCGP Project Team will function together to accomplish the Statement of Work tasks.

2. Each of Contractor's deliverables.

3. Contractor's understanding of the responsibilities, tasks, and deliverables required of Contractor.

4. Contractor's expected need for SLCGP Project Team involvement in each task.

5. Written explanation of the plan and schedule, describing the process and time frame Contractor expects to successfully accomplish and complete the requirements, milestones and Deliverables of the Statement of Work and WOC.

6. Mitigation plan for any risks and issues identified.

The Project Plan will include at a minimum, the following:

1. Project Plan narrative that describes the overall goal and visions of the SLCGP Project.

2. Roles and responsibilities.

3. Plan for change control management.

4. Plan for issues and risks tracking/management.

5. Status report format.

6. Format for all Deliverables.

7. Deliverable tracking framework.

8. Status Report and meeting cadence.

The Project Schedule will:

1. Identify the steps necessary to complete each Task and Deliverable within the awarded Contractor's Statement of Work and WOC.

2. Contain milestones to be met.

3. Identify State resources (e.g., CSS, agency representation and specific skill set or viewpoint to represent).

4. Contain a sequential timeframe of completion for Deliverables.

Deliverables 1.C: Weekly and Monthly Status Reports. Contractor shall deliver Weekly and Monthly Status Reports which contain details of progress, current status, and provide updated documentation of Task inputs, Task objectives, and Deliverables. Each report must document progress made towards project goals and include at least the following:

1. Tasks completed by Contractor.

2. Description of activities with percentage complete.

3. Description of overall Task and Deliverable percentage complete.

4. Description of planned activities not completed.

5. Description of project issues, risks or concerns that occurred or were worked during the reporting period.

6. Project goals planned for the next week/month.

7. Updates to previously Accepted Deliverables, as requested by Authorized Purchaser.

Task 2: Document Current SLCGP Program

Contractor shall facilitate the review of and document the current SLCGP Program. Documentation to be developed under this Task includes at least:

1. Developing stakeholder libraries.

2. Preparing SLCGP Planning and Advisory Committee artifacts.

3. Develop content for updates to the Cybersecurity Services Catalog.

4. Develop content for updates to the State Cybersecurity Plan.

5. Assist with memorandums of understanding (MOUs) with local governments.

Task 2 Deliverables

Deliverable 2.A. Grant Program Timeline Update. Contractor shall deliver an update to the Grant Program Timeline. The current Grant Program Timeline is available in the SLCGP Project Basecamp repository and includes key milestones, deadlines, and Deliverables, which ensures timely and effective implementation of cybersecurity initiatives.

Deliverable 2.B. Reserved.

Deliverable 2.C. SLCGP Planning Committee Presentations. Contractor shall develop presentations for the SLCGP Planning Committee every other week .

Deliverable 2.D. SLCGP Advisory Committee Presentations.

Contractor shall develop and prepare presentations for the SLCGP Advisory Committee, monthly or as needed.

Deliverable 2.E. SLCGP Planning Committee Monthly Status Reports.

Contractor shall prepare Monthly Status Reports for the SLCGP Planning Committee Chair, who is the State Chief Information Security Officer.

Deliverable 2.F. Cybersecurity Plan Update. Contractor shall develop a plan that describes how the SLCGP Cybersecurity Plan will be updated quarterly and the delivery method for accessing or distributing the updated Cybersecurity Plan.

Deliverable 2.G. SLCGP Cybersecurity Services Library. Contractor shall update and maintain a library of stakeholder adoption of services or programs within the State repository identified by CSS. Contractor shall create a Library of stakeholder recommended services to be adopted provided by CISA, MS-ISAC, and the State of Oregon. Contractor shall develop a plan to update catalog of cybersecurity services that can be consumed by participant local jurisdictions and state entities that includes description of the service and rationale of why it is a priority for Oregon.

Task 3: Document Current Security Use Cases

Contractor shall assist with the development of use cases for the purposes of defining specific scenarios or situations where the grant program can be used to address cybersecurity risks and improve the security posture of eligible State local governments, rural areas, and special districts. Use cases help to identify the types of projects and initiatives that can be funded through the grant program and provide a framework for evaluating proposals and awarding grants. Services under this Task include at least:

1. Participate in discussions, facilitated by Authorized Purchaser, or as otherwise authorized, with entities for which use cases are being documented by the Contractor.

2. Coordinate the review and completion of Nationwide Cybersecurity Review (NCSR) questionnaires.

3. Serve as the point of contact for local governments, rural areas, and special districts on the NCSR Use Case documentation process.

4. Ensure responses to questions and program information provided to states, local governments, rural areas, and special districts is consistent and authorized by Authorized Purchaser.

5. Analyze identified use cases and funding, and determine the processes and procedures for the SLCGP Program to award grants to local governments, rural areas, and special districts.

Task 3 Deliverables

Deliverable 3.A. Use Case Analysis. Contractor shall deliver a plan and findings summary for identifying and analyzing the following use cases provided by the SLCGP Program as well as any other use cases identified:

1. Cybersecurity assessments and risk management.

2. Cybersecurity training and awareness.

3. Incident response and recovery.

4. Upgrading and securing critical infrastructure.

5. Enhancing information sharing and collaboration.

6. Enhancing identity and access management.

Deliverable 3.B. Grant Proposals Evaluation Framework. Contractor shall develop a framework for evaluating proposals and for the SLCGP Program to award grants to local governments, rural areas, and special districts.

Task 4: Document SLCGP Operations. Contractor shall collect and analyze data from the Oregon SLCGP Planning Committee and SLCGP community engagement events and document SLCGP operations for all levels of Oregon government (e.g., State, local governments, rural areas, and special districts). Documentation must reflect the NCSR template for this work. Contractor shall complete at least the following as part of this Task:

1. Document "as is" processes of the standardized approach of the NCSR process across State local governments, rural areas, and special districts, with narratives that are satisfactory to the Authorized Purchaser.

2. Identify gaps between current Security use cases, NCSR template activities (Accepted Task 3 Deliverables), and identified future state.

3. Provide Implementation and Maintenance & Operations Plans that detail the execution from Current State to Future State.

4. Update Accepted Deliverables during the course of performance as requested by Authorized Purchaser.

Task 4 Deliverables

Deliverable 4.A: SLCGP Current State. Contractor shall document and deliver the SLCGP Project's current capabilities of utilizing, at least, the following NCSR tools and processes:

1. Self-Assessment Questionnaire (SAQ) - The SAQ is a set of questions designed to evaluate the cybersecurity posture of states, local governments, rural areas, and special districts. The NCSR template includes a standardized set of questions that must be answered by states, local governments, rural areas, and special districts, covering topics such as governance, risk management, access control, and incident response.

2. Security Control Assessment (SCA) - The SCA is a comprehensive evaluation of the cybersecurity controls and practices of the states, local governments, rural areas, and special districts. The NCSR template includes guidance and requirements for conducting an SCA, including the scope, methodology, and reporting requirements.

3. Tabletop Exercise (TTX) - The TTX is a simulated cybersecurity incident designed to test the incident response and coordination capabilities of the states, local governments, rural areas, and special districts. The NCSR template includes guidance and requirements for conducting a TTX, including the scenario, objectives, and reporting requirements.

4. Improvement Plan - Based on the results of the SAQ, SCA, and TTX, the states, local governments, rural areas, and special districts must develop and submit an improvement plan that outlines the steps they will take to address identified cybersecurity risks and gaps.

Deliverable 4B: GAP Analysis. Contractor shall develop and deliver a GAP Analysis that identifies gaps between the Current State and identified Future State.

Deliverable 4C: SLCGP Future State. Contractor shall develop and deliver the following plans for the SLCGP Project based off of the Current State and GAP Analysis deliverables:

1. SLCGP Implementation Plan.

2. SLCGP Maintenance & Operations Plan.

3. Implement multi-factor authentication.

4. Implement enhanced logging.

5. Data encryption for data at rest and in transit.

6. End use of unsupported/end of life software and hardware that are accessible from the Internet.

7. Prohibit use of known/fixed/default passwords and credentials.

8. Ensure the ability to reconstitute systems (backups).

9. Migration to the .gov internet domain.

Task 5: SLCGP Cybersecurity Plan. Contractor shall assist, in coordination with the EIS SLCGP Team, maintaining the Oregon Cybersecurity Plan. This plan has been submitted to CISA/FEMA by Authorized Purchaser for review and is anticipated to be completed by September 30, 2023.

Task 5 Deliverables

Deliverable 5.A. Program Objectives. Contractor shall, based on the federally-approved Oregon Cybersecurity Plan, deliver clearly defined and documented objectives for the cybersecurity grant program, outlining the overarching goals and outcomes to be achieved through the program.

Deliverable 5.B. Program Scope and Eligibility. Contractor shall, based on the federally-approved Oregon Cybersecurity Plan, deliver detailed documentation of the scope and coverage of the grant program, including the types of cybersecurity projects or initiatives that are eligible for funding, and the criteria and requirements for local government entities to qualify for a grant.

Deliverable 5.C. Resource Allocation Plan. Contractor shall develop and deliver documentation of the process for resource allocation of State and local government information systems and networks.

Deliverable 5.D. Risk Assessment and Mitigation Plan. Contractor shall develop and deliver documentation of the process for conducting risk assessments of state and local government information systems and networks, identifying potential vulnerabilities, threats, and risks, and outlining the strategies and actions for mitigating these risks.

Deliverable 5.E. Governance and Policy Documentation. Contractor shall develop governance structures and processes for overseeing the grant program, including roles and responsibilities of program managers, stakeholders, and participants, and documentation of policies, procedures, guidelines, and best practices for managing cybersecurity initiatives at the state and local government levels.

Deliverable 5.F. Capacity Building and Training Plan. Contractor shall develop documentation of strategies and actions for building the cybersecurity capacity and capabilities of state and local government personnel, such as providing training on cybersecurity best practices, organizing awareness campaigns, and supporting professional development initiatives.

Deliverable 5.G. Incident Response and Recovery Plan. Contractor shall develop detailed documentation of the plans and procedures for detecting, responding to, and recovering from cybersecurity incidents, including the roles and responsibilities of state and local government entities, law enforcement agencies, and other stakeholders, and outlining the coordination mechanisms and communication protocols for incident response efforts.

Deliverable 5.H. Information Sharing and Collaboration Plan. Contractor shall develop documentation of strategies and actions for facilitating information sharing and collaboration among state and local government entities, and fostering partnerships with relevant stakeholders, such as federal agencies, industry associations, and cybersecurity experts, to leverage collective expertise and resources in addressing cybersecurity challenges.

Deliverable 5.I. Compliance and Reporting Plan. Contractor shall develop documentation of the processes for monitoring and ensuring compliance with relevant laws, regulations, and industry standards related to cybersecurity, and defining the reporting requirements for state and local government entities to provide regular updates on their cybersecurity performance and progress.

Deliverable 5.J. Evaluation and Continuous Improvement Plan. Contractor shall develop documentation of the process for conducting regular evaluations of the effectiveness of the grant program and its cybersecurity initiatives, and using feedback and lessons learned to continuously improve cybersecurity practices and outcomes.

Deliverable 5.K. Program Timeline and Milestones. Contractor shall develop a timeline of the grant program, including key milestones, deadlines, and deliverables, to ensure timely and effective implementation of cybersecurity initiatives.

Deliverable 5.L. Budget and Resources Documentation. Contractor shall develop documentation of the budget and resources allocated to the grant program, including funding sources, funding levels, and resource requirements for implementing cybersecurity initiatives.

Deliverable 5.M. SLCGP Cybersecurity Plan. Contractor shall develop Documentation of a strategic roadmap for managing cybersecurity risks at the state and local government levels, providing a coordinated and systematic approach to enhance cybersecurity capabilities, protect critical information assets, and safeguard the public interest. It will be regularly reviewed, updated, and aligned with the evolving cybersecurity landscape and requirements of state and local governments.

1. CONTINGENCY TASKS.

Reserved.

1. DELIVERY AND PAYMENT SCHEDULE. Authorized Purchaser will make payments to Contractor based on Deliverables Accepted by Authorized Purchaser.