The NSW government is planning to streamline and standardise how agencies go about sourcing cyber security contractors by establishing a series of government-wide buying arrangements.
The Department of Customer Service this week approached the market to set up cyber security purchasing arrangements (CSPAs), as the need to secure the state’s digital services continues to increase.
The arrangements will seek to overcome undisclosed “issues associated with the procurement of cyber security professional services to date”, and “ultimately facilitate cyber security uplift” across government.
Services expected to be covered by what will in effect be a panel include incident response, vulnerability assessment, maturity assessment, digital forensics, penetration testing and generic cyber security professional services.
It comes as the government prepares to face a parliamentary inquiry into its handling of cyber security following a series of high-profile breaches, including an email compromise that saw 738Gb of data, or approximately 3.8 million documents, lifted from Service NSW.
The CSPAs will give agencies the confidence that they are procuring services from “capable suppliers” that have met a set criteria that ensures services are “fit for purposes”, while minimising complexity.
This will involve “standardising the definition of services such that they are more easily understood by both buyers and suppliers allows for better comparison”, tender documents state.
The arrangements will also build on the government’s IT consultant fee caps introduced earlier this year by ‘locking in’ pricing. Suppliers will be expected to agree on “cost structures at the establishment of the CSPAs” to provide “confidence in the cost of engagements”.
The CSPAs will sit alongside the whole-of-government Cloud Purchasing Arrangements (CPAs), which were introduced by the department earlier this year to simplify public cloud procurement.
Vault Cloud, Amazon Web Services and, as of late last month, Microsoft are the first three providers to strike CPA contracts with the government, with additional providers expected to be added in the coming weeks and months.
Under Microsoft’s CPA, its existing government-wide enterprise agreement has been modified to “include an improved commercial offer for Azure”, a spokesperson for the department told iTnews.
In its cloud strategy earlier this month, the government said the “increasing adoption of cloud services” – and the “expansion of security boundaries” that comes with it – presented a “security risk to the NSW government.
It also revealed that it – like other organisations across both the public and private sectors – are facing a “shortage in security staff”, with only 101 security personnel (78 internal, 23 external) and 226 testing personnel (85 internal, 145 external) across government.
Submission to the CSPAs expression of interest will close on November 13, with a briefing to be held on October 26. Suppliers will be invited to enter into an arrangement following a second stage of the procurement.