Cyber Security as a Service (CSaaS)

⁠⁠⁠Requirements

The Australian Institute of Health and Welfare (AIHW) is looking to establish strategic partnerships with Cyber Security vendors that can provide ad-hoc cyber security services. We are seeking to establish a contract for 12 months with a view to extend if AIHW deems the partnership successful. This Cyber Security‑as‑a‑Service (CSaaS) contract will enable us to procure services on an ad hoc basis when required.

Establishing strategic partnerships will help deliver the objectives outlined in the AIHW’s Cyber Security Strategy and is intended to uplift organisational cyber maturity across the strategic focus areas of Govern, Identify, Protect, Detect, Respond, and Recover.

We have a small dedicated Cyber Security and Assurance team that provides oversight of cyber security functions. The CSaaS contract will enable the cyber security and assurance team to augment staff as required and target specific deliverables.

The purpose of establishing a CSaaS engagement is to uplift AIHW’s cybersecurity maturity through an ad hoc professional service model that provides:

On demand cyber security risk assessments to grant an Authority to Operate (ATO) for identified AIHW applications and systems, including system specific artefacts such as SSPs, SARs, and POAMs.

Staff augmentation services that provide flexible, on-demand access to skilled professionals with the ability to temporarily fill skills gaps, scale teams when required without a long-term commitment.

Strategic cyber advisory services, where we can access specialised cyber security expertise who can provide strategic advice and insights on emerging threats, vulnerabilities, and mitigation strategies.

The vendor provides end-to-end penetration testing as a managed cyber security service, using recognised methodologies to identify and validate vulnerabilities with minimal operational disruption. Deliverables include a comprehensive report with severity‑rated findings, evidence, risk assessment, and prioritised remediation actions. The service also covers stakeholder briefings and optional post‑test remediation and re‑validation support.

Security architecture services required for delivering new capability projects. This includes but is not limited to creating design documentation and artefacts that relate to the security architecture of a system or service.

Develop and review cyber security policies. This includes but is not limited to drafting and reviewing AIHW cyber security policies, guidelines and playbooks.