**DHA will only consider invited sellers for this opportunity**

Defence Housing Australia (DHA) regularly perform security risk assessments across a range of medium to complex systems. These requests are on an ad-hoc basis.

We require these systems to go through a detailed cyber security risk assessment process.

We require experienced security service providers to perform non-complex and complex security risk assessments across DHA internal systems, integrations, web applications and Cloud products.

The successful tenderers will be onboarded for the duration of the contract to conduct security risk assessments as required, without delays to DHA project requirements and business expectations.

The scope of the work includes:

• Conduct security risk assessments on new and/or existing systems that may be introduced into DHA’s operating environment.
• Produce System Security Plans (SSP) with recommendations as per ISM guidelines.
• Produce Security Risk Management Plans (SRMP).
• Present assessment summary and documentation to key stakeholders.
• Liaise with DHA and third-party vendors to conduct discovery sessions, requirements, and assessment complexity. This includes:
• Timeframes to conduct non-complex and complex assessments.
• Current controls to meet DHA acceptable risk tolerance, and
• Where possible, include future roadmap features from vendors to remediate current associated risks.
• Scoping sessions to understand DHA’s operating environment, current controls and maturity will be undertaken as part of the onboarding process.

The assessment must include an assessment against the ACSC Essential 8 and ISM/PSPF guidelines.

A rate card must be provided for each of the levels of complexity.

The duration of this engagement will be Six (6) months with the option of Two (2) x Six (6) month extension options to be taken at the discretion of DHA.