State Looks to Better Assess Vendor Security
Connecting state and local government leaders
Michigan wants a “security rating snapshot” of contractors as well as a public portal that details their financial risk.
Michigan is looking to improve the security of its supply chain and better vet vendors it does business with, according to recent procurement documents.
One request for proposals issued May 15 by the state’s Department of Technology, Management & Budget (DTMB) is seeking software that would produce a “security rating snapshot” on vendors.
Rather than getting security reports on vendors after contracts are signed, these snapshots would be delivered on an ongoing basis and show each contractor’s overall security rating and how it measures up against its peers in areas like botnet inspections, open ports, spam propagation, the frequency of its patching and file sharing.
Bidders also will be required to provide a detailed disaster recovery plan that includes preparation, detection and analysis, containment, eradication, reporting and recovery. That plan must include information on handling—as well as roles and responsibilities for—the backup and recovery of data.
Potential contractors must identify business functions and restoration priorities, alternate sites and storage options they use to protect against ransomware attacks and ensure business continuity. Also required are details on training and awareness of staff and contractors and how recovery activities would be prioritized after an incident.
The RFP said the initial five-year contract will allow the state “to identify gaps in its security program and mitigate risk, providing the State crucial visibility into its digital ecosystem.”
A separate RFP from DTMB issued earlier this month calls for a repository on the financial status, products, operations and competitors for each of the state’s vendors. DTMB wants the data to be accessed through a web portal or available to be downloaded as a batch file. It anticipates that this solution would provide information on around 2,000 of its 4,5000 contractors each year.
The risk management effort has existed since a 2018 legislative directive and aims to improve operational efficiency and reduce fraud when contracting with vendors. It would also help ensure oversight and compliance with various state regulations, including tax programs and services provided through the state's social services agencies.
The winning bidder will be required to maintain a repository that can be accessed by every state agency, as well as local governments in Michigan. Information to be provided includes whether vendors have been identified as being financially at-risk as well as if they have ethical, labor or corruption issues that may affect their ability to do business with the state. Additionally, bidders must provide the option that the state be notified when registered businesses enter a risky financial state that could negatively impact the state and must report on any economic trends in the state, including potential growth areas.
Contractors can propose additional areas to be included in the repository, like cybersecurity risk factors, reputational risk or compliance with environmental, social and governance goals.
Chris Teale is a reporter with Route Fifty.
NEXT STORY: GOP-Led States Plan New Voter Data Systems to Replace One They Rejected