Specifications include, but are not limited to: Through this Request for Proposal (RFP) the Agency of Digital Services (ADS) (hereinafter the “State”) is seeking to establish contracts with one or more companies that can provide a Security as a Services (SECaaS) vendor for the Vermont Health Connect (VHC) and Integrated Eligibility & Enrollment (IE&E) programs. If a suitable offer is made in response to this RFP, the State may enter into a contract (the Contract) to have the selected offer (the Contractor) perform all or part of the work. The Contractor Shall provide the State with the technical security services in the areas of testing, assessment, training, and consulting. This RFP is primarily a request for a time and materials bid and vendors should provide an estimate of hours, security FTE’s and technical resources to be brought into the project as needed. It is expected that there will be a security task manager to track deliverables and maintain authority to connect. Additionally, there must be a security lead who will remain on the project for the contract’s duration and act as a single point of contact. These technical security services to be provided are prescribed by the current MARS-E compliance model mandated by CMS as well as the IRS Pub 1075 and FNS Handbook 901 Section 9 regulations. In conjunction with the VHC/IE&E M&O unit and VHC/IE&E hosting service, the main focus of services are in the areas of: • Policy, procedure, standards, and guidelines development, review implementation, and ongoing revisions. • Security Risk Management including sustaining of existing risk management frameworks or delivery of risk frameworks that include registration, classification, and management of risk. • Operationalization and ongoing management of internal and external security audits o Full audit management of CMS Plan of Action and Milestones (POA&M) and IRS Corrective Action Plan (CAP) remediation.
