Cybersecurity Risk Assessment and Penetration Testing Services

The vendor is required to provide cybersecurity risk assessment and penetration testing services to identify vulnerabilities, evaluate potential cybersecurity risks, ensure compliance with the institute cybersecurity framework (CSF), and recommend mitigation strategies for any items found above.
- The following areas:
1. Cybersecurity risk assessment
•    Risk identification: identification of all potential risks related to our IT systems, infrastructure, and data, with an emphasis on aligning the findings with the institute CSF (identify function). 
•    Vulnerability analysis: review and analysis of current vulnerabilities, including those identified in previous audits, penetration tests, and known threat intelligence sources. 
•    Risk evaluation: categorization of risks according to their likelihood and potential business impact, in line with institute risk management framework (RMF). 
•    Compliance review: review of our current practices and controls for compliance with institute CSF and other relevant regulations. 
•    Recommendations: development of a prioritized set of actionable recommendations for risk mitigation, focused on addressing both the protect and detect functions of institute CSF.
2. Penetration testing
•    Network penetration testing: a comprehensive assessment of our network infrastructure, including internal and external systems, firewalls, VPNs, and routers. 
•    This will include testing for common vulnerabilities and attempting to exploit them to assess the potential damage. 
•    Application penetration testing: review of web applications, mobile applications, and cloud-based systems for common application security risks (e.g., SQL injection, cross-site scripting (XSS), etc.). 
•    Social engineering: testing of employee awareness through simulated phishing, pretexting, and other social engineering tactics. 
•    Privilege escalation testing: attempting to gain elevated privileges in systems and assessing the impact of potential breaches. 
•    Report and remediation guidance: a detailed report documenting identified vulnerabilities, exploited attack vectors, and suggested remediations.
3. Institute cybersecurity framework compliance
•    Identify: identify and document key cybersecurity risks, assets, and critical data to understand the organization’s risk profile. 
•    Protect: assess existing protections such as access control, encryption, and other security mechanisms in place to safeguard against identified risks. 
•    Detect: evaluate capabilities for detecting cybersecurity incidents, including intrusion detection and monitoring solutions. 
•    Respond: review and assess incident response plans, processes, and procedures in place to manage cybersecurity incidents effectively. 
•    Recover: evaluate business continuity and disaster recovery planning to ensure effective recovery after a cybersecurity event.

- Contract period/term: 1 year
- Questions/inquires deadline: October 31, 2025