How to do a risk assessment
Plan and prepare
Research and refine
Assess and consult
Procure and productize
If your state entity has released a GenAI solicitation for a low risk solution, and then GenAI use is identified on by a top-scoring bidder, your state department must conduct a GenAI Risk Assessment of the disclosed GenAI to ensure it remains a low risk solution. If the disclosed GenAI is assessed as low risk:
- Submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal for all risk levels.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Then the solicitation can continue as planned.
- CDT reserves the right to audit and consult on low GenAI Risk Levels with potential higher risk concerns.
If the disclosed GenAI is assessed as moderate or high risk, your CIO, AIO, or designee must immediately contact CDT to request a consultation.
The consultation process is illustrated in a detailed workflow below.
GenAl consultation process for telecommunications, IT and non-IT
- CIO, AIO, or designee identifies from the onset (includes but not limited to box 6), that a procurement is, or contains, a GenAI technology function or service, and completes the Generative Artificial Intelligence Risk Assessment.
- Note: For GenAI acquisitions designated as moderate or high risk, both the CIO and AIO are required to sign the Generative Artificial Intelligence Risk Assessment.
- Submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal for all risk levels.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- For an IT Procurement, complete and signed Certification of Compliance with IT Policies Template (SIMM 71-B)
- The state entity determines the risk assessment level of the GenAI to be low, moderate, or high risk.