The Office of the Chief Information Officer (OCIO), under the Department of Treasury and Finance (DTF) provides whole of government ICT and cyber security services to enable a more connected and secure government so that South Australia government agencies can better serve the community.

OCIO’s current program of works aims to continuously improve South Australia agencies’ cyber security risk management capability. This includes the investment in a tool for monitoring and managing the cyber risks posed by government suppliers.

This investment aims to address the following challenges in State Government’s cyber risk management capability:

• Staying ahead of cyber threats: The evolving nature of cyber threats poses a significant challenge for SA Government’s risk management efforts. Threat actors are continuously developing new tactics, techniques, and procedures to exploit vulnerabilities including those of vendor-supplied products and services.
• Reliance on suppliers: There is a high reliance on suppliers for various services across government. Managing the security risks associated with these suppliers, including supply chain vulnerabilities, requires robust third-party risk management processes.
• Limited resources: Agencies have limited resources allocated for supplier cyber security activities which hinders their ability to invest in tools and skilled personnel.
• Varying levels of maturity: There is varying levels of maturity to supplier risk management practices, methods, and processes across the whole of SA Government.
• Inefficiencies: While there is commonality of suppliers, agencies will generally conduct their own risk assessment and due diligence activities, duplicating effort across government and by suppliers.

The objective of this procurement is to drive efficiencies in the way SA Government monitors and manages third party cyber security risks by providing a centrally managed tool that support the following objectives:

• Streamline key suppliers’ security risk assessments and due diligence activities across government agencies (particularly where there is supplier commonality) to minimise cost and reduce risk.
• Support proactive assessment of suppliers’ security risk through continual open-source reputation monitoring for changes to risk profile and monitoring of breach sites and media for notification of incidents affecting whole of government and panel suppliers.
• Provide a flexible software licensing model that enables increase/decrease in user/supplier volumes and the possible deployment of additional functionality in the future, without significant cost.
• Ensure value for money, including a transparent licensing model where costs align to the progressive implementation schedule and do not require the OCIO and agencies to pay for functionality that is not being used.
• Establish acceptable contract terms and conditions that meet the OCIO and agencies’ requirements and effectively mitigate key risks.
• Implement a support model which provides the OCIO and agencies with ongoing access to new functionality and releases over time.
• Maintain operational stability and performance of the solution.