EGB FY25 CBMS Annual Security & Privacy Assess FR 9657447

Background
The Governor’s Office of Information Technology (OIT) is responsible for providing all IT resources to the Colorado Executive branch and other parts of the State government. OIT is seeking an independent assessor to conduct a Year 1 security and privacy assessment of the Colorado Benefits Management System (CBMS) in compliance with the Centers for Medicare and Medicaid Services (CMS) MARS-E 2.2 requirements. The goal is to ensure that the CBMS system meets security and privacy standards as mandated by CMS.

Work Details
The contractor will perform the following tasks:

1. Complete the Security and Privacy Assessment Plan (SAP) for submission to CMS, due 30 days prior to assessment start.

2. Conduct penetration testing on identified information system components.

3. Prepare and submit the Security Assessment Report (SAR), Assessor Workbook (SAW), and Annual Attestation Memorandum, which includes results from penetration testing and vulnerability scans.

The assessment must evaluate compliance with MARS-E, security posture of underlying infrastructure, data security, proper configuration of databases, adherence to organizational security policies, and include documentation such as Business Agreements, Configuration Management Plans, Contingency Plans, Incident Response Plans, Privacy Impact Assessments, and more.

Period of Performance
The assessment is expected to commence in mid-June 2025 with final deliverables due by July 29, 2025.

Place of Performance
The work will be performed remotely; travel is not expected to be required.

Bidder Requirements
Vendors must demonstrate independence in conducting assessments without conflicts of interest. They are required to provide proof of Good Standing with the Colorado Secretary of State and an insurance certificate before contract execution.