Penetration Tester – 25-04284

Job Title: Penetration Tester

Location: Montpelier, VT

The Vermont Department of Motor Vehicles (DMV) is seeking a contractor to conduct cybersecurity penetration testing services on the following two distinct solutions.

The DMV seeks a cybersecurity contractor with extensive expertise in penetration testing to rigorously assess the security of VT TRIPS, with a focus on the Driver Services component, and VT Haul Pass, ensuring robust protection against potential cyber threats.

Penetration Testing Requirements:

• Black-box testing (unauthenticated + authenticated)


• External web app and REST endpoint testing


• Risk-ranked vulnerability report


• Retesting after remediation


• Log & packet trace submission


• Destruction attestation of test data


• U.S.-based testing & data residency


• Daily testing window: 8:00 AM–4:30 PM EST

REQUIREMENTS:

• The selected contractor will work closely with ADS, AOT, Fast and ProMiles personnel as required during this engagement.


• External web application penetration testing of VT TRIPS and VT Haul against their "production-like” environments. URLs provided at project launch.


• External web application penetration testing against:


• VT TRIPS - two REST endpoints (provided at project launch)


• VT Haul Pass – one REST endpoint (provided at project launch)


• Perform penetration tests including "black box” testing on the web site(s) / endpoints defined above to assess the extent of a compromise an attacker can achieve by identifying and exploiting any vulnerabilities. Also testing as an "authenticated user”:


• VT TRIPS – authenticated users, un-authenticated users (sites to be provided at project launch)


• VT Haul Pass - authenticated users, un-authenticated users (sites to be provided at project launch)


• Comprehensive report of risk-ranked vulnerabilities/findings and associated exploits.


• Following each penetration test and remediation of specific identified vulnerabilities, a retest will be performed specifically to determine whether the vulnerabilities were successfully remediated.


• The contractor will log and trace every packet sent to Fast Enterprises for VT TRIPS and ProMiles VT Haul Pass as part of the test and shall provide log files to DMV/ADS as an addendum to the report deliverable(s).


• Attestation of destruction of any information obtained by the contractor resulting from these penetration tests.


• Penetration testing must be conducted from the continental US. All data obtained in the course of this engagement must always remain on continental US. If this is not possible, please explain.


• The contractor will produce an initial report of any findings within 5 business days following the completion of the initial testing.


• Contractor is authorized to perform this test during the testing period between 8:00 am and 4:30 pm EST. (blackout update dates/give as much time necessary/but not touch update windows.)


• The contractor will provide the State with a draft report of any findings and results within 5 business days after the penetration testing is completed.


• The report will include all identified vulnerabilities, criticality levels, steps to reproduce or screenshots and recommended corrective methods and actions.

PROJECT DELIVERABLES

Describe required deliverables in detail. Under no circumstance should a SOW be developed or an SOW RFP be released where the deliverables are not quantified or the criteria for acceptance are not defined. Be clear and concise. The deliverables identified here should be directly tied to payment provisions.