Cybersecurity Risk Assessment and Penetration Testing Services

RFP Issued: March 23rd, 2026

Pre-Proposal Meeting via Microsoft Teams: March 31st, 2026 at 10:30 AM

Questions Due: April 3rd, 2026 by 10:00 AM

Proposals Due: April 13th, 2026 by 10:00 AM

The government authority located in Oakland, California is seeking a qualified vendor to conduct comprehensive cybersecurity risk assessment and penetration testing services. The scope includes analyzing the security posture of the authority's IT systems and infrastructure, specifically covering over 10 cloud applications, 2 web applications, Active Directory, endpoints, and on-premises equipment for more than 500 devices utilized by over 350 users. Social engineering assessments such as phishing, vishing, smashing, and physical pretexting are to be included.

The risk assessment portion will require asset and data inventory, risk identification, control and configuration review, and vulnerability analysis. Penetration testing will address both external and internal network testing, application security examinations, and assessments of privilege escalation and lateral movement within the environment.

Additionally, all services and reporting should be mapped to the NIST Cybersecurity Framework (CSF) across its functions: identifying assets and risks, implementing preventive controls, monitoring and detection, and evaluating incident response preparedness including playbooks and escalation procedures. The contract is expected to span two years.