The Norwegian Agency for Public and Financial Management, through the Norwegian Public Sector Cloud Marketplace (MPS), has awarded a framework agreement for internet information security measurement to KPMG Norway AS for the provision of the cloud service RiskRecon by Mastercard.
Cyber threats are a continuous challenge for public organizations. Technological advancements have enabled attackers to exploit vulnerabilities and inflict significant damage on public and private organizations. Therefore, it is crucial to have effective strategies and tools to identify and manage cyber threats. One strategy that has proven to be very useful is the measurement of information security on the internet ("Cyber Risk Score" or CRS). MPS has therefore awarded KPMG Norway AS a framework agreement for the provision of the cloud service RiskRecon by Mastercard.
What is Cyber Risk Score?
CRS is a method for quantifying and assessing an organization's exposure to cyber threats as seen from the internet. It is a numerical value that reflects the total risk for an organization based on various factors, such as vulnerabilities in the infrastructure, historical data on security breaches, and the organization's ability to handle security incidents. CRS provides a comprehensive assessment of the security level as seen from the internet and helps organizations prioritize actions to protect themselves against potential threats. CRS also facilitates the comparison and follow-up of security in the public sector at a national level.
The Pilot Project
In the summer of 2023, MPS concluded a pilot project of a cloud service for CRS. A total of 26 state agencies and 4 municipalities participated in the pilot. The conclusion was that there is a need for a CRS service in the public sector, that this would be a useful tool for business management and for IT and security management, that it could represent an effective management tool and facilitate increased collaboration in the public sector.
About the Framework Agreement and the Way Forward
In December 2023, a competitive tender with negotiation was announced. The competition was concluded on May 30, 2024, and the contract was awarded on June 19, 2024. The framework agreement is valid for 2 years with options for extension for up to another 2 years. The framework agreement is non-exclusive for the supplier and is voluntary for public sector organizations to use. The framework agreement is open to public organizations in the civilian sector that are covered by DFØs authorization, as well as 127 municipalities and county municipalities that have joined the agreement as an option. The option will be triggered as soon as the necessary clarifications regarding value-added tax are clarified.