How to do a risk assessment
Procure and productize
If your state entity has released a GenAI solicitation for a “Low” risk solution, and then GenAI use is identified on the GenAI Reporting and Factsheet (STD 1000) of a top-scoring bidder, your state department must conduct a GenAI Risk Assessment of the disclosed GenAI to ensure it remains a “Low” risk solution. If the disclosed GenAI is assessed as “Low” risk:
- Submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal for all risk levels.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Required Generative Artificial Intelligence Risk Assessment
- Required Generative Artificial Intelligence (GenAI) Reporting and Factsheet (STD 1000), once received from the Bidder / Offeror / Contractor Information
- IT procurements, submit both Yes and No answers.
- Telecommunications procurements, submit both Yes and No answers.
- Non-IT procurements, submit only Yes answers.
- If completed, Privacy Threshold Assessment and Privacy Impact Assessments (SIMM 5310-C).
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Then the solicitation can continue as planned.
- CDT reserves the right to audit and consult on "Low" GenAI Risk Levels with potential higher risk concerns.
If the disclosed GenAI is assessed as “Moderate” or “High” risk, your CIO, AIO, or designee must immediately contact CDT to request a consultation.
The consultation process is illustrated in a detailed workflow below.
GenAl consultation process for telecommunications, IT and non-IT
- CIO, AIO, or designee identifies from the onset (includes but not limited to box 6), that a procurement is, or contains, a GenAI technology function or service, and completes the Generative Artificial Intelligence Risk Assessment OR State entity identifies GenAI technology function or service from the submission of the GenAI Reporting and Factsheet (STD 1000) during the procurement process.
- Note: For GenAI acquisitions designated as “Moderate” or “High” risk, both the CIO and AIO are required to sign the Generative Artificial Intelligence Risk Assessment.
- Submit a Case via the New Technology Consultation and Assessment request, in the CDT IT Service Portal for all risk levels.
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- Required Generative Artificial Intelligence Risk Assessment
- Required Generative Artificial Intelligence (GenAI) Reporting and Factsheet (STD 1000), once received from the Bidder / Offeror / Contractor Information
- IT procurements, submit both Yes and No answers.
- Telecommunications procurements, submit both Yes and No answers.
- Non-IT procurements, submit only Yes answers.
- If completed, Privacy Threshold Assessment and Privacy Impact Assessments (SIMM 5310-C).
- For an IT Procurement, complete and signed Certification of Compliance with IT Policies Template (SIMM 71-B)
- When the request has been processed, a CDT Customer Engagement Services (CES) Account Lead will be in contact with instructions to provide:
- The state entity determines the risk assessment level of the GenAI to be “Low”, “Moderate”, or “High” risk.