Penetration Testing as a Service

Overview

Cybersecurity & Data Privacy

Washington, District of Columbia, United StatesPosted 2 months agoDeadline: March 30th, 2026

Fit Score

Settle Intelligence

Settle helps teams find, evaluate, and respond to public RFPs. We continuously surface new opportunities, score them against your company strengths, and draft proposal responses so you can focus on the work that wins business.

SUMMARY

The Washington, DC government is requesting penetration testing services for its IT systems, including ethical hacking, web application security evaluation, and social engineering simulation.

KEY REQUIREMENTS

Provide penetration testing services
Assist in discovery, prevention, and remediation of vulnerabilities, misconfigurations, and risks for USAC Information Technology (IT) Core Systems
Provide expertise and awareness of known threats, methods, and practices of malicious actors when testing
Offer optional services to join USAC with Social Engineering tests
Offer optional physical testing for access and Wi-Fi access at USAC's headquarters office
Comply with USAC's IT Security Rules of Behavior Form and complete mandatory IT Security and Privacy Awareness Online Training
Adhere to Procurement Regulations
Comply with the privacy and security requirements and obligations found in the USAC Standard Terms and Conditions Privacy and Security Addendum
Ensure that Services provided under the Contract comply with the applicable electronic and information technology accessibility standards established in 36 C.F.R. Part 1194

BUDGET

Estimate

$50,000 – $250,000

CONTRACT DURATION

60 months

TIMELINE

RFP Released: March 3, 2026

Questions due to USAC: March 9, 2026

Q&A responses released to potential offerors: March 13, 2026

Proposal due to USAC: March 30, 2026

QUESTION DEADLINE

March 9th, 2026

Issuing Agency

Universal Service Administrative Co.

Organization overview and procurement intelligence available on paid plans.

See Issuer Research

DESCRIPTION

The government authority in Washington, DC seeks a vendor to provide penetration testing as a service for its IT core systems. The scope includes mission–system and application testing in pre–production environments to uncover vulnerabilities, design anti–patterns, and coding or configuration errors that may introduce security risks.

Services required include ethical hacking activities such as internal network scanning, port scanning, system fingerprinting, service probing, exploit research, manual vulnerability testing, and verification. Web application testing will evaluate risks including injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, and API/web services vulnerabilities.

Social engineering techniques are also part of the engagement and may include phishing, vishing (voice phishing), smishing (SMS phishing), and the use of AI emulation and simulation to support testing operations. The contract will be for a one-year period.

Questions regarding this RFP must be submitted no later than March 9, 2026.

Source attribution

This Settle analysis is based on the issuing organization’s public RFP listing.