ISIRS vendor list

When faced with a need for Information Security Incident Response Services (ISIRS), agencies often do not know where to turn.  To help guide agencies in the right direction, the Enterprise Security Office and Procurement Services teamed up to create the ISIRS vendor list​.

The ISIRS vendor list is a nonbinding, open list of qualified contractors who have submitted a response to Request for Qualification (RFQ) 102-2090-13, and have satisfied all requirements to be added to the list (see section 5 of the RFQ).  

​This list is NOT a price agreement and DOES NOT replace the need to conduct a procurement process.​​​


ISIRS are categorized as follows (click each category to view vendor list):

Anyone wishing to contract for services may use the ISIRS vendor list​ to help find qualified vendors, but must follow all required statutes, rules, and policies when conducting the procurem​ent.

How to use the list

Agency has an urgent (but not emergency) need for a vendor to perform services in one of the ISIRS categories.
​  1.  Determine which category will cover the needed service.
  2.  Determine the estimated value of the engagement to determine the procurement method (agency may work with vendors on the ISIRS list to assist in determinint estimated value).
​​a. Small procurement:  Agency ​may direct award to vendor of choice (not limited to vendors on the ISIRS list).
​​b. Intermediate procurement:  Agency may conduct an intermediate Invitation to Bid, Request for Proposal, Request for Quote, etc.
  3.  Conduct solicitation process (if applicable)
a. Draft solicitation and post to ORPIN.
b. Agency may include the vendors from the ISIRS vendor list by using the NOTICE feature in ORPIN. (Do not use INVITE feature).
c. The advertising time of the solicitation needs to be reasonable for prospective vendors and satisfy all applicable statute, rules, and policies.
  4.  Evaluate and award as you would any procurement at the same threshold.
  5.  Enter into a contract with the successful offeror.

Templates​ / guidance

  • Contract template - To streamline the negotiation process, each vendor on the list has agreed to use the attached contract template.
  • Exhibit A - Statement of work template
  • Exhibit B - Insurance requirements template
  • Risk assessment​ - To assist in assessing the risk and determining the insurance levels, use the one-page risk assessment.

Entities subje​​ct to DAS rules

All information technology-related procurements made by state agencies, including personal services and trade services, with a value of $150,000 or more, require State Chief Information Officer approval. An Information Resource Request (IRR) must be submitted to the Department of Administrative Services, Chief Information Office, IT Investment & Planning section at

Information technology investment review / approval policy​



Cinnamon Albin
DAS Enterprise Security Office