Silicon Valley Clean Energy Authority (SVCEA) is seeking information on how an interested consultant could identify cybersecurity risks and assess cybersecurity preparedness in the community choice aggregation sector. The RFI focuses on multiple areas: (1) Governance and Risk Assessment - best practices for evaluating cybersecurity risks, controls, and risk assessment processes specifically for Electric Utility and CCA businesses, including senior management and board involvement; (2) Access Rights and Controls - controls to prevent unauthorized access to systems and information, including management of user credentials, authentication, authorization methods, remote access, passwords, network segmentation and tiered access; (3) Data Loss Prevention - robust controls in patch management and system configuration, monitoring content transferred outside the agency, unauthorized data transfers, and verification of customer fund transfer requests; (4) Vendor Management - practices and controls related to vendor management including due diligence in vendor selection, monitoring and oversight, contract terms, and assessment of vendor relationships as part of risk assessment; (5) Training - training tailored to specific job functions to encourage responsible employee and vendor behavior, integration of incident response procedures into personnel and vendor training; (6) Incident/Management Response - best practices for policies, assigned roles, vulnerability assessments, and plans to address future events, including identification of data, assets, and services warranting most protection; (7) Security Policies - development and maintenance; (8) Security Framework - containing standards, procedures, and measurement; (9) Vulnerability Management - monitoring, alerting and remediation; (10) Privacy - framework for creating transparency and cybersecurity roadmap for building and leveraging current attention and focus around personal data and information security as new regulations emerge. Responders should provide information and commentary on best practices in these areas.