Agenda Item   



                                                                                                                        ASR Control  19-001396




legal entity taking action:

Board of Supervisors

board of supervisors district(s):

All Districts

SUBMITTING Agency/Department:

County Executive Office   (Approved)

Department contact person(s):

Joel Golub (714)-834-6827 



KC Roestenberg (714)-567-5075



Subject:  Renew Regional Cooperative Agreement for Cyber Security Assessment Services


      ceo CONCUR

County Counsel Review

Clerk of the Board


Approved Agreement to Form

Consent Calendar



3 Votes Board Majority




    Budgeted: N/A

Current Year Cost: N/A

Annual Cost: N/A




    Staffing Impact:


# of Positions:

Sole Source: N/A

    Current Fiscal Year Revenue: N/A

  Funding Source: N/A

County Audit in last 3 years: N/A



    Prior Board Action: 4/11/2017 #25




Authorize the County Procurement Officer or authorized Deputy to execute Amendment Number One to renew the Regional Cooperative Agreement with Tevora Business Solutions Inc. for Cyber Security Assessment and Audit Services, effective April 11, 2020, through April 10, 2021.






Renewing the Regional Cooperative Agreement with Tevora Business Solutions Inc. will provide County departments with continued Cyber Security Assessment and Audit Services in a consistent and uniform manner.





In 2016, the Information Technology (IT) Board Ad Hoc committee directed Orange County Information Technology (OCIT) to take the lead on establishing a process for conducting third-party cyber security assessments and audits to establish a uniform process across all County departments. As such, OCIT conducted a Request for Proposal (RFP) and established a Regional Cooperative Agreement (RCA) in 2017 for Cyber Security Assessment and Audit Services. A Cyber Resilience Manager (CRM) was also hired to architect and oversee the implementation of a robust Orange County Cyber Resilience Program (CRP). Audits and assessments are a critical component of the CRP. Renewing the RCA (Attachment A) with Tevora Business Solutions Inc. (Tevora) will continue to support the mission of the CRP and allow all County departments to conduct third-party cyber security assessments and audits consistently and in line with established minimum scope requirements.


The initial cyber security assessments were conducted in 2017 and departments are scheduled to have these repeated every three years based on the Department of Homeland Security’s (DHS) recommended framework. Besides the DHS assessments, Tevora can provide the County with other critical cybersecurity services such as internal and external penetration testing, social engineering exercises, Health Insurance Portability and Accountability Act (HIPPA) audit services, validation of physical security controls, software application security assessments, policy and procedure review and development services, and incident response readiness assessments.


Regional Cooperative Agreement


RCAs are master cooperative contracts established by the County for purposes of leveraging competitive, large-volume pricing, limiting duplication of competitive solicitation efforts, increasing standardization and consistency of services provided to multiple County departments and increasing administrative efficiencies by having a single County department establish contract terms, conditions and pricing, which is extended to all other County departments. 


The RCA for Cyber Security Assessment and Audit Services with Tevora was established in April 2017 and is available for use by all County departments and includes pre-negotiated terms and conditions with a menu of services at fixed prices. In order to utilize the RCA, County departments will be required to consult with the OCIT CRM to develop a department-specific scope of work, contact CEO/Office of Risk Management to assess insurance limit requirements based on the specific scope of work and execute a department-specific subordinate agreement. We are extending this RCA to allow County departments more time to complete their assessment if they have not done so. 


It is important to note that the RCA does not obligate the County to any minimum amount of appropriations because the contract includes a standard provision that states no guarantee is given by the County to Tevora regarding usage of the RCA. There is also a provision in the RCA that would apply to all subordinate agreements, which states funding is contingent and if appropriations are not forthcoming, or are otherwise limited, the County may immediately terminate or modify the contract without penalty.


County Subordinate Agreements


Departments will be able to execute their subordinate agreement and complete the assessment and audit. They will be required to upload audit findings into the OCIT Governance, Risk and Compliance (GRC) system.  GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. Use of the GRC system for tracking cyber security audit findings will allow the County to utilize pre-built reports and dashboards and create customized reports to review cyber security assessment data. In addition, the system will enforce who can access specific risk and compliance data at the system, application, record and field levels so users interact only with information relevant to their roles.









The proposed RCA amendment with Tevora does not financially obligate the County to a minimum amount of expenditures. Contract costs will be included as part of individual departments’ subordinate agreements. 










Attachment A – Amendment Number One
Attachment B – Original RCA-017-17010018
Attachment C – Contract Summary Form