Please note: This is a Sole Source Notification. • What is the business need or problem that requires this contract? This contract addresses the need to work strategically to enhance the cybersecurity posture of school districts by promoting effective and reasonable security practices tailored to each district's unique needs. This approach aims to move away from a onesize-fits-all policy rubric that is often impractical and unsupported. Instead, the development of a strategic plan will focus on assisting districts in achieving what they consider to be reasonable security measures. To achieve this, the proposed contractor will assist with the development of an OSPI Cybersecurity Working Group to develop and implement a comprehensive K-12 cybersecurity strategy. This strategy will include the following key deliverables: o Assessment of Cybersecurity Programming/Supports/Work Underway: Development and implementation of a cybersecurity district needs assessment. Convene meetings with Educational Service Districts (ESDs) to evaluate the current state of cybersecurity programming, prioritizing districts with unmet needs. This will involve assessing the cybersecurity posture and culture, annotating local goals and plans, identifying staffing shortfalls, and potentially developing a security "toolbox" and pen-testing services. o Identification of vulnerable districts: Identify districts vulnerable due to the lack of on-site cyber-trained technical support, absence of active security policies, or lack of security concerns from administration. o Development of a State-wide K-12 Cybersecurity Policy: Assist in creating a statewide K-12 cybersecurity model policy to be distributed through Washington State School Director’s Association partner. The policy will include two levels: entry, and tier II, to accommodate small and medium-sized districts. Larger districts, which likely already have standing policies, will be addressed last. The policy will adopt a "Reasonable Security" approach and target security standards and assessments used by the State Auditor's Office, potentially coordinating with them to replicate the same assessment standards evaluation process. o Implementation of Cybersecurity Policies: With a focus on vulnerable districts, ensure that all districts have a workable cybersecurity policy. This policy will include Multi-Factor authentication (MFA) for all staff members, tiered at three levels (Strong for Admins, Mid for Key Staff, and General for Teachers and other staff). It will also involve removing device admin access from general staff, securing network VPNs, and conducting penetration (pen) testing on exposed servers. Up-chain reporting.
