ï‚· The scope includes an annual cybersecurity risk assessment for three consecutive years, focusing on both technical and procedural aspects.
ï‚· The assessment should cover all JPS facilities and IT infrastructure, including networks, servers, endpoints, medical devices, and cloud services.
ï‚· The assessment should include twice annual penetration testing.
ï‚· Assessments should be conducted using either the HITRUST Common Security Framework (CSF) or the NIST Special Publication 1271 â€" The Framework for Continuous Cybersecurity Improvement, also known as the NIST Cybersecurity Framework (NIST CsF).
ï‚· Privacy risk assessments using the HIPAA Privacy Rule, OCR Audit Protocol, HITRUST privacy controls, NIST 800-53 privacy controls, and applicable state laws are also required.
ï‚· The scope of effort will culminate yearly with the identification and prioritizing security gaps and vulnerabilities, and the yearly assessment providing actionable recommendations for remediation.

https://jpshealthnet.org/rfp/cyber-security-risk-assessment-services