How to do a risk assessment

If your state entity has released a GenAI solicitation for a “Low” risk solution, and then GenAI use is identified on the GenAI Reporting and Factsheet (STD 1000) of a top-scoring bidder, your state department must conduct a GenAI Risk Assessment of the disclosed GenAI to ensure it remains a “Low” risk solution. If the disclosed GenAI is assessed as “Low” risk:

If the disclosed GenAI is assessed as “Moderate” or “High” risk, your CIO, AIO, or designee must immediately contact CDT to request a consultation.

The consultation process is illustrated in a detailed workflow below.

GenAl consultation process for telecommunications, IT and non-IT

Workflow for GenAl consultation process for Telecommunications, IT and non-IT
  1. CIO, AIO, or designee identifies from the onset (includes but not limited to box 6), that a procurement is, or contains, a GenAI technology function or service, and completes the Generative Artificial Intelligence Risk Assessment OR State entity identifies GenAI technology function or service from the submission of the GenAI Reporting and Factsheet (STD 1000) during the procurement process.
    1. Note: For GenAI acquisitions designated as “Moderate” or “High” risk, both the CIO and AIO are required to sign the Generative Artificial Intelligence Risk Assessment.
  2. Submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal for all risk levels.
    1. When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
      1. Required Generative Artificial Intelligence Risk Assessment
      2. Required Generative Artificial Intelligence (GenAI) Reporting and Factsheet (STD 1000), once received from the Bidder / Offeror / Contractor Information
        1. IT procurements, submit both Yes and No answers.
        2. Telecommunications procurements, submit both Yes and No answers.
        3. Non-IT procurements, submit only Yes answers.
      3. If completed, Privacy Threshold Assessment and Privacy Impact Assessments (SIMM 5310-C).
    2. For an IT Procurement, complete and signed Certification of Compliance with IT Policies Template (SIMM 71-B)
  3. The state entity determines the risk assessment level of the GenAI to be “Low”, “Moderate”, or “High” risk.

Choose the outcome of your risk assessment to move to the next step

CDT consultation is available on request. It is not required. CDT reserves the right to audit and consult on low GenAI risk levels with potential higher risk concerns.