The Department of the Treasury, Cyber Governance Risk and Compliance area occasionally receives Cyber Security assessment requests to be performed that are ranged from Medium to Complex systems. These requests are on ad-hoc basis. These requests may be for new or existing Systems (SSP/SRMP refresh) We expect these systems need to go through the detailed cyber security risk assessment process by engaging external risk assessors. This is producing SSP Annex A; Annex B, SRMP and Authority to Operate (ATO) or Interim Authority (IATO) to Operate documentations along with Plan of Action and Milestones Document.

We are looking to get a quotation to perform New Risk assessments starting this financial year 2024 and may have option to be extended to the next financial year 2024-2025 and 2025-2026 FY, the contract may include TWO (2) X 1-year extensions totaling up to 3 Years in total.

These risk assessments are for Treasury systems and its associated agencies where the network is managed by Department of The Treasury.

The New Risk assessments may compromise of Medium and Complex systems. There may be opportunity to re-visit the existing Security Risk Documentations that were produced in the past and that are due for a SRMP Refresh in this three years period.

We are expecting this to be performed in Phase-by-Phase basis (e.g.: 4 assessment refreshes in 3 months’ time) On addition to this, there may be around five (5) or more Cyber policy Documentations that may require uplift.

The scope of the work is to:

• Conduct a risk assessment on a new and/or existing system that will be introduced into treasury environment.
• Produce security documentation like System Security Plan (SSP), SSP Annex (a) and SSP Annex (b) with recommendations as per ISM guidelines. And in line with the Treasury Authority to Operate framework.
• Produce a Security Risk Management Plan (SRMP Document)
• Produce an Authority to Operate document for the ITSA and CISO to accept the risks.
• Present an assessment summary and documentation to key stakeholders.
• The specialists may also have to upload the list of recommendations into our GRC Risk Tool.

The assessment must include an assessment against the ACSC Essential 8, ISM/PSPF guidelines and Frameworks like Hosting Certification Frameworks.

Additional minimum requirements are listed in the Requirements documentation.

* Please note we are expecting overall quotation for Risk Assessments that include delivering the above documents and not Hourly Rates.