Third Party Risk Management Program

Job description

Name
Third Party Risk Management Program


Request #
OA-(phone number removed)


Agency, State
Office of Administration (OA), MO


Location
Jefferson City, MO


Contract Duration
10/01/2025 06/30/2026


Release Date
08/01/2025






















SOW
The State seeks to establish the first phase of a comprehensive Third-Party Risk Management (TPRM) Program to assess, mitigate, and monitor cybersecurity risks originating from third-party service providers.

The project will review existing vendor management processes, identify gaps, create risk management policies and procedures, develop a vendor assessment framework and criticality matrix, and support pilot implementation with training and reporting deliverables

• Testing timeline must not be compressed once the work plan has been approved.
  
  


• All services must be provided in the United States.
  
  Offshore services shall not be used to perform the services outlined herein.
  
  


• Vendor resource(s) may be exchanged under the SOW without modifications of the SOW upon agreement of the SOW Vendor and the State.
  
  The State reserves the right to review resumes and accept/reject proposed resource(s).
  
  


• Security & Confidentiality All materials (including code, tools, documentation and data) provided pursuant to the SOW shall be deemed confidential.
  
  Vendor resource(s) must comply with agency and ITSD security policies, agency and ITSD required trainings, and/or required security specifications that describe: (i) required security capabilities, (ii) required design and development processes, (iii) required test and evaluation procedures, and (iv) required documentation.
  
  


• Usage of any recording devices or Generative AI recording is prohibited in any meetings associated with the project and/or this Statement of Work (SOW) by the vendors.
  
  


• The SOW Vendor resource(s) must report to the ITSD Project or Resource Manager or designee, who will provide resource(s) with sufficient knowledge to perform the work.
  
  

Submittal Requirement
Submit this SOW Word document (signed), Deliverable Payment Milestones table, Contracting Resource(s) Price Calculations table, and a separate PDF SOW response (d50 pages excluding resumes) with project overview, approach, resources, tasks/timelines, Exhibits A D, and resumes.

No embedded files or hyperlinks allowed


Evaluation Criteria
Total 200 points + 28 bonus points:

Cost 52 pts

Technical Proposal 148 pts:

Approach & Methodology 63 pts

Personnel Qualifications & Biographies 35 pts

Company History & Experience (case studies) 50 pts

Bonus: MBE/WBE 10 pts, Blind/Sheltered Workshop 15 pts, MO SDVBE 3 pts


References
Two (2) past performance case studies required in Exhibit C with organization name, contact person, phone, email, budget, timeframe, and project description


Resumes required?


Yes for all proposed resource(s) (Exhibit B)


Rate card required
No pricing is firm-fixed per deliverable; vendor to provide internal "Contracting Resource(s) Price Calculations " table


Any specific requirement
All work must be U.S.-based; no offshore services.

Adherence to ITSD security, confidentiality, and training policies.

Use of State-owned ADO/JIRA for tracking issues.

No out-of-state travel required.

No generative AI or recording devices allowed in meetings


Hardcopy/Email/portal submission
Email


Link
Via Email







Attachment of SOW:

1. Scope, Requirements, Deliverables and Invoicing
   
   
   
   1. General Requirements
      
      
      
      1. Testing timeline must not be compressed once the work plan has been approved.
      
      
      2. All services must be provided in the United States.
         
         Offshore services shall not be used to perform the services outlined herein.
      
      
      3. Vendor resource(s) may be exchanged under the SOW without modifications of the SOW upon agreement of the SOW Vendor and the State.
         
         The State reserves the right to review resumes and accept/reject proposed resource(s).
      
      
      4. Security & Confidentiality All materials (including code, tools, documentation and data) provided pursuant to the SOW shall be deemed confidential.
         
         Vendor resource(s) must comply with agency and ITSD security policies, agency and ITSD required trainings, and/or required security specifications that describe: (i) required security capabilities, (ii) required design and development processes, (iii) required test and evaluation procedures, and (iv) required documentation.
      
      
      5. Usage of any recording devices or Generative AI recording is prohibited in any meetings associated with the project and/or this Statement of Work (SOW) by the vendors.
      
      
      6. The SOW Vendor resource(s) must report to the ITSD Project or Resource Manager or designee, who will provide resource(s) with sufficient knowledge to perform the work.
      
      
      7. Vendor resource(s) are expected to conduct themselves in a professional manner and dress in a professional manner.
      
      
      8. The SOW Vendor must provide resumes for all of the SOW Vendor's resource(s) being assigned to the project for the review and acceptance by the State.
         
         The SOW Vendor's resource(s) assigned to the project are subject to the approval or rejection by the State.
         
         If there would be a need to replace the resource(s) by the SOW Vendor, any subsequent proposed resource(s) may be interviewed by the State prior to acceptance.
      
      
      9. The Vendor's resource(s) schedule and location for on-site or off-site work must be agreed upon by the SOW Vendor's Project Manager, ITSD Project/Resource Manager and the Customer Product Owner.
      
      
      10. No out-of-state travel is required on the part of the State or the SOW Vendor resource(s) for completion of this project.
      
      
      
      
   
   
   2. Vendor Minimum Experience Requirements
      
      
      
      1. The SOW Vendor must meet or exceed the following minimum experience requirements at the time of the SOW response submission and for the duration of the SOW:
         
         a.
         
         3 years' experience designing, implementing and supporting third-party risk management programs which support the NIST SP 800-53 Rev 5 SR supply chain risk management controls.
      
      
      
      
   
   
   3. Vendor Resource(s) Experience Requirements
      
      
      
      1. The SOW Vendor shall include the following team members/resource(s) to administer and perform the contract requirements:
      
      
      
      
   
   
   
   

1. Leadership Team:
   
   
   
   1. 3+ years' experience in leading an implementation team for State Government or equivalent organization.
   
   
   2. Certifications in cyber risk management or cybersecurity, such as CRISC, CGRC, CISSP preferred.
   
   
   
   


2. Working Team:
   
   
   
   1. 2+ years' experience in cyber risk management or cyber security.
   
   
   2. Certifications in cyber risk management or cybersecurity, such as CRISC, CGRC, CISSP preferred.
   
   
   3. Certifications in third part risk assessment such as CTPRA preferred.
   
   
   4. Performance Requirements
      
      
      
      1. Current State Assessment
         
         
         
         1. Review existing vendor management processes across the agencies.
         
         
         2. Identify gaps in third-party cybersecurity practices
         
         
         
         
      
      
      2. Develop Risk Management Policies and Procedures
         
         
         
         1. Create robust processes, procedures and guidelines for a standardized and consistent approach to third-party risk management.
         
         
         2. Develop and implement risk evaluation methods, including questionnaires, audits, or third-party data.
         
         
         
         
      
      
      3. Develop a Vendor Assessment Framework
         
         
         
         1. A comprehensive framework for vendor assessment will be created, incorporating best practices in risk management.
         
         
         2. Develop detailed documentation for a standardized approach to the TPRM program.
         
         
         
         
      
      
      4. Vendor Criticality Matrix
         
         
         
         1. Create a vendor risk categorization system (High, Medium, Low) to classify vendors based on their impact on operations.
         
         
         
         
      
      
      5. Implementation Support
         
         
         
         1. Assist in deploying the program in a pilot.
         
         
         2. Iterate based on feedback and extend across other agencies.
         
         
         
         
      
      
      6. Training
         
         
         
         1. Conduct train the trainer sessions for staff and provide a process manual.
         
         
         
         
      
      
      
      
   
   
   
   

1. Deliverables

LIST OF DELIVERABLES

(Requirements and Criteria that must be met)
DELIVERABLE APPROVAL ACCEPTANCE

(Describe approval acceptance conditions that must be met)



1.

Vendor Assessment Objectives Document: Define objectives focused on risk identification, mitigation, compliance assurance, and vendor security evaluation.



Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Risk Management Policies and Procedures: Provide gap analysis.
   
   develop detailed policy and procedures for a standardized approach to TPRM.
   
   Implement risk evaluation methods, including questionnaires, audits, or third-party data.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Vendor Assessment Framework: Create a comprehensive framework for vendor assessments based on recognized standards which incorporates best practices in risk management.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Vendor Criticality Matrix: Construct a matrix to classify vendors based on their criticality to operations and regulatory compliance.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Vendor List: Create, analyze, and categorize vendor list.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Application of Criticality Matrix to Vendors: Classify vendors within the developed criticality matrix based on importance and impact to State business.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Initial Risk Analysis Report per Vendor: Assist with utilization of existing tools, such as UpGuard, to conduct an initial risk analysis for each vendor based on the criticality classification.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Pilot Test Reports: Conduct a pilot test of the vendor assessment process on a selected subset of vendors utilizing the State's vendor assessment platform.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Revised Vendor Assessment Framework and Criticality Matrix: Evaluate effectiveness of framework and matrix, adjust based on pilot findings.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Final Feedback and Evaluation Summary: Review findings and make final adjustments before full implementation.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Conduct train the trainer sessions and provide process manual.

Project Deliverable Acceptance Form approved by the ITSD Project Manager and Enterprise Cyber Risk Manager or designee.

1. Reporting Requirements
   
   
   
   1. The SOW Vendor must provide weekly status reporting on the services being provided to the State of Missouri using the ITSD Status Report template.
      
      The SOW Vendor shall provide overall project percent complete, items for management attention, action items, project decisions made, risks, issues, out-of-scope work identified, and track change request items.
      
      The current percent complete must be reported for all deliverables and payment milestones.
   
   
   2. The ITSD Project Deliverable Acceptance Form (PDAF) must be used for deliverable acceptance.
      
      Items may require a deliverable review meeting wherein the SOW Vendor walks through the deliverable with the ITSD and agency staff, followed by revisions as required, and finally, with a request for approval and associated payment per the SOW.
   
   
   
   


2. Technical Environment Requirements
   
   
   
   1. Depending upon the agency preference, either State-owned Microsoft ADO or JIRA shall be used to record, track and resolve issues, bugs and defects.
   
   
   2. The SOW Vendor must have all necessary licenses to provide IT services in conjunction with the award of this SOW.
      
      SOW Vendor shall purchase/supply and maintain the required licenses (per developer) for all development tools for the duration of the project, unless specifically indicated by the SOW.
   
   
   
   


3. State's Obligations
   
   
   
   1. The State, ITSD, will establish an Active Directory or Alt account for each vendor and VDI-RDP (or other) to access resources as necessary.
   
   
   2. The State, ITSD, will provide a laptop or other computer devices as necessary.
   
   
   3. The State, ITSD, will provide a physical location for vendor as necessary.
   
   
   4. The State will make every effort to have the appropriate State staff available to the Vendor personnel on a timely basis.
   
   
   5. The State will make every effort to make necessary project and system documentation available on a timely basis.
   
   
   6. The State will perform timely review and approval of deliverables.
   
   
   
   


4. State Data
   
   
   
   1. State Data Location: All data associated with the solution/service shall only be hosted and stored within the United States.
      
      
      
      
      
      1. Ownership: The State's electronic data or information submitted by the state or its authorized users with authorized access to the solution/service shall be considered "State Data for ownership purposes of the contract, as the State serves as either the owner or curator of the data submitted in the solution/service.
         
         "State Data shall include: (a) the State's data collected, used, processed, stored, or generated as the result of the Services; (b) personally identifiable information ( "PII ) collected, used, processed, stored, or generated as the result of the services, including, without limitation, any information that identifies an individual, such as an individual's social security number or other government-issued identification number, date of birth, address, telephone number, biometric data, mother's maiden name, email address, credit card information, or an individual's name in combination with any other of the elements listed herein; and (c) protected health information ( "PHI ) as that term is defined under the Privacy Rule, 45 Code of Federal Regulations (CFR) 160.103.
         
         State data is and shall remain the sole and exclusive property of the State and all right, title, and interest in the same is reserved by the State.
         
         
      
      
      2. "State Data stored in the software and services being provided as a result of the contract shall also be known and treated by the SOW Vendor as confidential information in accordance with the contract, applicable SOW Vendor's documentation, and applicable law.
      
      
      
      
   
   
   2. SOW Vendor Use of State Data: The SOW Vendor shall: (a) keep and maintain state data in strict confidence, using such degree of care as is appropriate and consistent with its obligations as further described in the contract and applicable law to avoid unauthorized access, use, disclosure, or loss; (b) use and disclose state data solely and exclusively for the purpose of providing the services, such use and disclosure being in accordance with the contract, any applicable Statement of Work, and applicable law; (c) not use, sell, rent, transfer, distribute, or otherwise disclose or make available state data for SOW Vendor's own purposes or for the benefit of anyone other than the State without the State's prior written consent; and, (d) not provide state data to any third-party without the express written permission of the state.
      
      "...for the purpose of providing the services as referenced above includes the right of the SOW Vendor to use state data to prevent or address service or technical problems, and verify service improvements, in accordance with the contract and the solution's documentation, or in accordance with the State's instructions.
   
   
   3. Incremental Extraction of State Data: The SOW Vendor shall provide the State with the ability to conduct an incremental extraction of the State's data (e.g. new and changed data) from the solution on a nightly basis to update the data available in the State Data Warehouse.
      
      The incremental extraction of state data must be available without additional charges, conditions, or contingencies regarding the state's right to extract the data beyond the terms outlined in the SOW Vendor's cloud services agreement, and in the format mutually agreed to by the parties.
      
      The incremental data extractions will allow the State to maintain an updated copy of the State's data for the duration of the contract.
      
      
   
   
   4. End of Contract Extraction of State Data: At the end of the contract, the State shall have the right to extract its data from the solution for an additional sixty (60) calendar days from the date of contract expiration.
      
      The end of contract extraction of state data must be at no additional cost, conditions, or contingencies regarding the state's right to extract the data notwithstanding the terms outlined in the SOW Vendor's services agreement, and in the format that was mutually agreed to by the parties.
      
      If a term greater than 60 calendar days is required by the State to complete the state data extraction, the SOW Vendor agrees to work with the State to define the additional term and fees for the additional time.
   
   
   5. Extraction of State Data Process Validation: The SOW Vendor must allow the State to perform routine validation of the extraction of the State's data.
      
      The routine validation occurs to ensure the State's data will accurately transfer as prescribed to the State's designated extraction location and accommodates the volume of data transferred.
      
      The SOW Vendor shall assist the State by providing documentation and tools to allow the state to accurately process the extractions of the State's data for the State's continued use.
   
   
   6. Backup and Recovery of State Data: Unless otherwise described in the contract, as a part of the services, the SOW Vendor shall maintain a backup of state data and perform an orderly and timely recovery of such data in the event that the production services may be interrupted in accordance with the disaster recovery and business continuity plans.
      
      
   
   
   7. Return of State-owned Data: The SOW Vendor shall return state-owned data to the State of Missouri in a format mutually agreed to by the State and SOW Vendor and with a key or crosswalk to the information, where applicable, at no additional cost to the State.
      
      The State shall have the right to test the data extract provided by the SOW Vendor at a frequency determined by the State.
   
   
   
   


5. Invoicing and Payment Requirements
   
   
   
   1. Statement of Work Invoicing: The SOW Vendor shall follow the outlined PDAF process listed in attachments for deliverable acceptance, then upon deliverable approval, will submit their invoice to the ITSD Project or Resource Manager and Administrative Assistant.
   
   
   2. All travel-related expenses must be included within the firm, fixed deliverable price.
   
   
   
   


6. Payment Holdback
   
   
   
   1. Firm, fixed priced per deliverable to fulfill the SOW project, which shall include a 10% holdback per deliverable for any project for which the total firm, fixed price for all deliverables is $75,000 or greater.
   
   
   2. Unless otherwise authorized by the Division of Purchasing, projects with a total firm, fixed price of $75,000 or greater for all deliverables shall have ten percent (10%) holdback of each deliverable held back by the agency, which shall be paid to the SOW Vendor upon final acceptance by the state agency of the entire SOW project completion including warranty and receipt by the state agency of an accurate invoice for the final deliverable.
      
      The SOW Vendor shall understand and agree that the payment holdback provisions described herein shall not be construed as a penalty.
   
   
   3. The SOW Vendor shall understand and agree forfeiture of Payment Holdback shall result when:
      
      
      
      1. The SOW Vendor fails to fulfill the mandatory requirements of the SOW resulting in a deliverable being considered non-compliant with the SOW requirements and the SOW Vendor fails to correct and resolve the issue within ten (10) business days or other timeframe as agreed to in writing by the State; or
      
      
      2. The SOW Vendor fails to provide the state agency with an accurate invoice for all successfully completed and accepted deliverables for the SOW project within forty-five (45) days after State acceptance of the deliverables and completion of warranty period.
      
      
      
      
   
   
   4. The SOW Vendor shall understand and agree return of Payment Holdback shall result:
      
      
      
      1. If the SOW project is canceled by the State due to reasons not attributable to the fault of the SOW Vendor prior to completion of the project, all payment holdback amounts retained by the State for completed and accepted SOW deliverables for that particular SOW project shall be paid to the SOW Vendor; or
      
      
      2. If the SOW project is completed and accepted by the State and the SOW Vendor has invoiced for the project in accordance with the provisions and requirements of the contract.
      
      
      
      
   
   
   
   

Required Skill Profession

Other General