SMUD is developing and implementing the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) to aid in identifying, communicating, and managing cyber risk throughout the organization. The proposer will consult with the Cybersecurity governance, risk and compliance program owner, key SMUD stakeholders and subject matter experts, to develop a cybersecurity process for Risk Management, as defined in NIST Special Publication (NIST SP) 800-37 revision 2.
A key component of the RMF is a security control catalog that contains the administrative, technical, and operational controls for implementation on systems and components. The Privacy and Security control catalog will incorporate the requirements established in laws and regulations applicable to SMUD as organization-defined values within specific privacy and security controls. The Privacy and Security control catalog will use the controls identified within NIST SP 800-53 revision 5.
Mandatory Requirements:
Proposed candidates must have specific knowledge, skills, and abilities that are aligned to Cyber Policy and Strategy Planner (OV-SPP-002) work role of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework)
Deliverables:
- A comprehensive end-to-end process document that integrates the NIST RMF into SMUD's IT/OT operations, procurement process and Cybersecurity program. The document must include, but is not limited to, instructions for SMUD stakeholders at each RMF task, a table of internal SMUD personnel that are Responsible, Accountable, Consulted, and Informed (RACI) for each task within the process document, and a list of templates or documents that must be completed and managed by responsible stakeholders. The process document must integrate functionality of Governance, Risk, and Compliance (GRC) tools utilized by the Cybersecurity department. These tools will be discussed after Task has been awarded and NDA has been signed.
- A Privacy and Security Control Catalog leveraging NIST Special Publication 800-53 Revision 5 tailored to include the requirements established within laws and regulations applicable to SMUD.
- Provide Privacy and Security Control assessment procedures leveraging NIST Special Publication 800-53A Revision 4 for assessing controls within the Privacy and Security Control Catalog.
- A Microsoft PowerPoint slide deck that discusses the RMF Process, SMUD's implementation of RMF, key tasks to perform, and the roles and responsibilities of key stakeholders.
Desirable Qualifications:
- Certified Information System Security Professional (CISSP) or equivalent cybersecurity certification
- Certified Authorization Professional (CAP)