The Commonwealth of Massachusetts, through the Operational Services Division (OSD), has awarded Harbor Networks status as an ITT50/ITT72 contractor. The award covers converged voice and data communication systems, equipment and services state-wide. Learn more about buying from a Massachusetts state contract.
SPIN Number: 143023661
Vendor Code/Statewide Contract Number: 385895
This is a Statewide Contract for Data, Cybersecurity, and Related Audit, Compliance, and Incident Response Services. Services include a full range of audit, penetration tests, reviews, and validation of compliance with legal, regulatory and policy requirements, and related services in areas such as data breach investigation, remediation, and security of confidential information.
This contract includes 4 categories:
Category 1: Full range of data and cybersecurity audits and compliance reviews and related consulting services, including best practices, gap analysis, scorecards, compliance with internal and external controls (e.g., internal process and procedures, HIPAA, IRS, PII, CJIS), and control validation).
When to Use: For organizations in the early stages of cybersecurity planning, Category 1 is a good entry point, with awarded vendors providing a baseline cybersecurity readiness assessment. Vendors are available to audit and assess organizations’ practices, infrastructure, and compliance with federal, state, other applicable laws and rules, uncover vulnerabilities and irregularities, and make recommendations for improvement. Category 1 may also be helpful in assessing changes to existing configurations and requirements. Examples of such changes could be infrastructure, vendors, policies and procedures, or legislative.
Category 2: Risk assessments as they relate to internal and external (3rd party) components. Services include risk management strategies, quality assurance audits, cloud security, vendor security, and data security management. *
When to Use: Category 2 offers risk assessments when organizations implement significant changes to hardware or software infrastructure. Examples include a new application or server, adding cloud services, or introducing a new IT service provider. Awarded vendors review the new environment and report on possible data and security risks.
Category 3: Cybersecurity testing and readiness services including external/internal penetration testing, physical security assessments, social engineering assessments, vulnerability assessments, application testing, network security assessments, endpoint security assessments, tabletop exercises, identity and access management assessments.*
When to Use: Category 3: Vendors awarded to Category 3 provide assistance with assessing the organization's readiness for real-world cyber events, e.g. password cracking, cyber hacking, ransomware, and phishing to ensure security protocols perform as designed. Vendors essentially attempt to “break into” the network environment to identify vulnerabilities and suggest actions to prevent actual breaches.
Category 4: Information Security and Cybersecurity Incident Response services, including emergency incident response services, incident containment, mitigation, remediation, internal and external communications and required notifications, forensic investigations, managed threat detection and response. Contractors are prepared to engage within 24-48 hours, 7 days a week, and implement incident response protocols as negotiated by the buyer.**
When to Use: When an organization believes that a cyber event may have taken place, vendors in Category 4 are available to assist with response efforts, including crisis management, business continuity, and communications strategy, among others.
Categories Harbor Networks Supports:
UNSPSC Code: 80-11-18-00
UNSPSC Code: 81-16-00-00
UNSPSC Code: 43-23-32-00
UNSPSC Code: 83-12-00-00
Contract Number: ITS78
* State agencies requiring engagement under this category must coordinate with and gain the approval of the Office of the Commonwealth Chief Information Security Officer (CCISO). This can be done by emailing your request to ERM@mass.gov.
** State agencies requiring engagement under this category must coordinate with and gain the approval of the Office of the Commonwealth Chief Information Security Officer (CCISO) to ensure that Enterprise systems are not at risk. This can be done by emailing your request to ERM@mass.gov.