Cybersecurity Services (CSS) State and Local Cybersecurity Grant Program (SLCGP)

WOC Attachment 1, Statement of Work
PART I. BACKGROUND
Introduction
The primary purpose of the CSS State and Local Cybersecurity Grant Program (SLCGP) Project is to support the application for and management of federal SLCGP funds for Oregon (State), local governments, rural areas, and special districts. Funds are used to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local governments, rural areas, and special districts. Each State, local government, rural area, and special district must manage its cybersecurity program funds in accordance with a federally approved State cybersecurity plan. The purpose of the States cybersecurity plan is to provide a strategic and coordinated approach to enhance the cybersecurity posture of State, local governments, rural areas, and special districts, and to allocate resources effectively to address cybersecurity challenges and protect critical information assets.
EIS Cyber Security Services requires the services of a contractor to support implementing and updating the current Oregon Cybersecurity Plan (see Attachment 2 of this WOC; also referred to as the State Cybersecurity Plan or Cybersecurity Plan) to help build a State and Local Cybersecurity Grant Program (SLCGP) for Oregon. This project may include additional work to support grant management and reporting activities.
The selected Contractor will provide Services for this Project under the WOC.
Acceptance Process for Deliverables:
Section 2.5 of Contract #9436 applies to this WOC, except that Contractor must re-deliver corrected Deliverables to Authorized Purchaser under Section 2.5.1.6 within 10 business days. A preliminary version of all Deliverables should be submitted to Authorized Purchaser for review and feedback prior to finalizing the Deliverable.
Assumptions:
Project Description: EIS is responsible for managing the Cybersecurity Plan. The Oregon Department of Emergency Management (ODEM) will manage the related funding as part of the Cybersecurity Plan. The SLCGP Project will provide how the State will work with ODEM, local governments, rural areas, and special districts to implement the Cybersecurity Plan.
Standards and Framework: The SLCGP Project will adhere to guidelines, best practices, and methodologies that are used to manage cybersecurity risks, e.g. National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) Critical Security Controls, ISO/IEC 27001.
This Project will maintain the completed Cybersecurity Plan that has been validated by DHSCISA and implement the Cybersecurity Plan that is operational for all eligible State local governments, rural areas, and special districts.
Project Goals: The goal of the SLCGP Project is to help state, local governments, rural areas, and special districts address cybersecurity risks and cybersecurity threats.
Overview of Services:
The Tasks completed and Deliverables delivered by the Contractor under this WOC will be for the SLCGP Project. See Attachment 2, Oregon Cybersecurity Plan, for the list of Services the State will implement.
PART II. TASKS AND DELIVERABLES
Contractor shall deliver Services in accordance with this section, the WOC, and provisions of Contract #9436 applicable to this WOC.
Administrative Tasks and Approach to Work:
Contractor shall create a Project Plan and Schedule that outlines the tasks, milestones, timeframes, responsibilities, decision points and methodology to complete the outlined scope and assure completion of all tasks within the expected timeframe. This plan and schedule will serve as the basis against which the Contractors performance will be measured.
Contractor shall complete the appropriate Deliverables. Contractor shall participate in daily and weekly planning and review meetings.
Contractor shall follow EIS and SLCGP Project standards including the naming conventions.
Primary Tasks:
Task 1: Project Management and Reporting.
Contractor shall provide all aspects of project management for its Services provided under this WOC. This specifically includes:
Participate in Project Kick-off session. The purpose of the kickoff meeting is to confirm mutual understanding of the overall SLCGP Project, the scope of this engagement, and clarification of expectations. Following execution of this WOC, Authorized Purchaser will schedule an initial kick-off session, and Contractors team will attend and participate in this review of the Project scope and expectations. Following the meeting, Contractor shall provide written synopsis of the kick-off meeting.
Contractor shall engage Authorized Purchasers SLCGP Project Team and create a Project Plan and Schedule that outlines the Tasks, Milestones, timeframes, responsibilities, decision points and methodology to complete the outlined scope and assure completion of all Services within the expected timeframe.
Contractor shall provide written status reports, SLCGP Project Team-requested updates to the Project Plan and Schedule, and meet with CSS Project Manager/Sponsor weekly or otherwise as requested by Authorized Purchaser.
Task 1 Deliverables:
Deliverable 1.A: Kickoff Meeting Synopsis. Contractor shall deliver a written summary of the kick-off session. This Deliverable must include at least an agenda, summary of action items, responsibilities, meeting minutes, and timelines. This Deliverable must be written to a level of detail that will convey mutual understanding of the scope and expectations of the engagement.
Deliverable 1.B: Project Plan and Schedule. Contractor shall develop and deliver a Project Plan and Schedule no later than 10 business days following the Acceptance of Deliverable 1.A. This Deliverable must reflect at least the following items:
Vision of how Contractor and SLCGP Project Team will function together to accomplish the Statement of Work tasks.
Each of Contractors deliverables.
Contractors understanding of the responsibilities, tasks, and deliverables required of Contractor.
Contractors expected need for SLCGP Project Team involvement in each task.
Written explanation of the plan and schedule, describing the process and time frame Contractor expects to successfully accomplish and complete the requirements, milestones and Deliverables of the Statement of Work and WOC.
Mitigation plan for any risks and issues identified.
The Project Plan will include at a minimum, the following:
Project Plan narrative that describes the overall goal and visions of the SLCGP Project.
Roles and responsibilities.
Plan for change control management.
Plan for issues and risks tracking/management.
Status report format.
Format for all Deliverables.
Deliverable tracking framework.
Status Report and meeting cadence.
The Project Schedule will:
Identify the steps necessary to complete each Task and Deliverable within the awarded Contractors Statement of Work and WOC.
Contain milestones to be met.
Identify State resources (e.g., CSS, agency representation and specific skill set or viewpoint to represent).
Contain a sequential timeframe of completion for Deliverables.
Deliverables 1.C: Weekly and Monthly Status Reports. Contractor shall deliver Weekly and Monthly Status Reports which contain details of progress, current status, and provide updated documentation of Task inputs, Task objectives, and Deliverables. Each report must document progress made towards project goals and include at least the following:
Tasks completed by Contractor.
Description of activities with percentage complete.
Description of overall Task and Deliverable percentage complete.
Description of planned activities not completed.
Description of project issues, risks or concerns that occurred or were worked during the reporting period.
Project goals planned for the next week/month.
Updates to previously Accepted Deliverables, as requested by Authorized Purchaser.
Task 2: Document Current SLCGP Program
Contractor shall facilitate the review of and document the current SLCGP Program. Documentation to be developed under this Task includes at least:
Developing stakeholder libraries.
Preparing SLCGP Planning and Advisory Committee artifacts.
Develop content for updates to the Cybersecurity Services Catalog.
Develop content for updates to the State Cybersecurity Plan.
Assist with memorandums of understanding (MOUs) with local governments.
Task 2 Deliverables
Deliverable 2.A. Grant Program Timeline Update. Contractor shall deliver an update to the Grant Program Timeline. The current Grant Program Timeline is available in the SLCGP Project Basecamp repository and includes key milestones, deadlines, and Deliverables, which ensures timely and effective implementation of cybersecurity initiatives.
Deliverable 2.B. Reserved.
Deliverable 2.C. SLCGP Planning Committee Presentations. Contractor shall develop presentations for the SLCGP Planning Committee every other week .
Deliverable 2.D. SLCGP Advisory Committee Presentations.
Contractor shall develop and prepare presentations for the SLCGP Advisory Committee, monthly or as needed.
Deliverable 2.E. SLCGP Planning Committee Monthly Status Reports.
Contractor shall prepare Monthly Status Reports for the SLCGP Planning Committee Chair, who is the State Chief Information Security Officer.
Deliverable 2.F. Cybersecurity Plan Update. Contractor shall develop a plan that describes how the SLCGP Cybersecurity Plan will be updated quarterly and the delivery method for accessing or distributing the updated Cybersecurity Plan.
Deliverable 2.G. SLCGP Cybersecurity Services Library. Contractor shall update and maintain a library of stakeholder adoption of services or programs within the State repository identified by CSS. Contractor shall create a Library of stakeholder recommended services to be adopted provided by CISA, MS-ISAC, and the State of Oregon. Contractor shall develop a plan to update catalog of Cybersecurity Services that can be consumed by participant local jurisdictions and state entities that includes description of the service and rationale of why it is a priority for Oregon.
Task 3: Document Current Security Use Cases
Contractor shall assist with the development of use cases for the purposes of defining specific scenarios or situations where the Grant Program can be used to address cybersecurity risks and improve the security posture of eligible State local governments, rural areas, and special districts. Use cases help to identify the types of projects and initiatives that can be funded through the Grant Program and provide a framework for evaluating proposals and awarding grants. Services under this Task include at least:
Participate in discussions, facilitated by Authorized Purchaser, or as otherwise authorized, with entities for which use cases are being documented by the Contractor.
Coordinate the review and completion of Nationwide Cybersecurity Review (NCSR) questionnaires.
Serve as the point of contact for local governments, rural areas, and special districts on the NCSR Use Case documentation process.
Ensure responses to questions and program information provided to states, local governments, rural areas, and special districts is consistent and authorized by Authorized Purchaser.
Analyze identified use cases and funding, and determine the processes and procedures for the SLCGP Program to award grants to local governments, rural areas, and special districts.
Task 3 Deliverables
Deliverable 3.A. Use Case Analysis. Contractor shall deliver a plan and findings summary for identifying and analyzing the following use cases provided by the SLCGP Program as well as any other use cases identified:
Cybersecurity assessments and risk management.
Cybersecurity training and awareness.
Incident response and recovery.
Upgrading and securing critical infrastructure.
Enhancing information sharing and collaboration.
Enhancing identity and access management.
Deliverable 3.B. Grant Proposals Evaluation Framework. Contractor shall develop a framework for evaluating proposals and for the SLCGP Program to award grants to local governments, rural areas, and special districts.
Task 4: Document SLCGP Operations. Contractor shall collect and analyze data from the Oregon SLCGP Planning Committee and SLCGP community engagement events and document SLCGP operations for all levels of Oregon government (e.g., State, local governments, rural areas, and special districts). Documentation must reflect the NCSR template for this work. Contractor shall complete at least the following as part of this Task:
Document as is processes of the standardized approach of the NCSR process across State local governments, rural areas, and special districts, with narratives that are satisfactory to the Authorized Purchaser.
Identify gaps between current Security use cases, NCSR template activities (Accepted Task 3 Deliverables), and identified future state.
Provide Implementation and Maintenance & Operations Plans that detail the execution from Current State to Future State.
Update Accepted Deliverables during the course of performance as requested by Authorized Purchaser.
Task 4 Deliverables
Deliverable 4.A: SLCGP Current State. Contractor shall document and deliver the SLCGP Projects current capabilities of utilizing, at least, the following NCSR tools and processes:
Self-Assessment Questionnaire (SAQ) - The SAQ is a set of questions designed to evaluate the cybersecurity posture of states, local governments, rural areas, and special districts. The NCSR template includes a standardized set of questions that must be answered by states, local governments, rural areas, and special districts, covering topics such as governance, risk management, access control, and incident response.
Security Control Assessment (SCA) - The SCA is a comprehensive evaluation of the cybersecurity controls and practices of the states, local governments, rural areas, and special districts. The NCSR template includes guidance and requirements for conducting an SCA, including the scope, methodology, and reporting requirements.
Tabletop Exercise (TTX) - The TTX is a simulated cybersecurity incident designed to test the incident response and coordination capabilities of the states, l...