The vendor is required to provide for vulnerability assessment and penetration testing and therefore, may seek support services for vulnerability assessment and penetration testing.
- Methodology and tools
• Documented methodology: will provide a detailed and documented methodology for conducting assessments and tests, including planning, execution, and reporting.
• Advanced tools: will use advanced and industry-standard tools for vulnerability assessments and penetration testing.
• Penetration test plan: will describe attack vectors, assumptions, and testing schedules.
• Standards: will align with the latest revisions of the following, NIST SP 800-115 (testing methodology), 800-53 (security controls), and 800-53a (assessment guidelines).
• Rules of engagement: will define testing boundaries, tools, and legal constraints.
- Testing domains
• The following domains will be comprehensively covered, including but not limited to: network infrastructure (LAN, wan, wireless/cellular, WAF, etc.) server infrastructure, client-server applications, web applications, mobile applications, cloud environments, client-side systems (workstations/software), IOT devices (intelligent transportation systems), containers and virtualization, social engineering, physical security, compliance specific scopes, supply chain and bidder ecosystems, privileged access pathways, red team operations, logging and monitoring systems.
• Will describe combining automated tools with manual techniques, explicitly covering both application-layer (code/design flaws) and network-layer (configuration/architectural) vulnerabilities.
• The successful bidder(s) will be able adapt to organizational size, compliance needs, and evolving threat landscape.
- Security and confidentiality
• Data protection: will describe how they will protect sensitive data and describe policies for data handling, storage, and disposal.
• Confidentiality agreements: will be willing to sign confidentiality agreements to protect the state's information.
- Reporting and communication
• Comprehensive reporting: will provide comprehensive and clear reports detailing findings, risks, and recommendations.
• Regular communication: will maintain regular communication with the state government throughout the engagement.
• Test plan: will justify omitted attack vectors, and include system scope, assumptions, and schedules.
• Findings report: will prioritize vulnerabilities by risk level and provide remediation steps.
• Retesting: will be able to validate fixes post-remediation.
- Staffing and turnaround times
• Appropriate staffing: will have sufficient and qualified staff to ensure quick turnaround times (30 days) for vulnerability assessment and penetration testing requests. describe your approach to staffing.
- Location requirements
• Testing infrastructure and storage: all testing infrastructure and data storage must be located within the continental united states
• Employee location: all employees involved in the testing process must be based in the continental united states.
• Testing location: the ability to perform testing both remotely and on premises.