Closed Solicitation · DEPARTMENT OF COMMERCE
AI Summary
The NATO Communications and Information Agency seeks a contractor for crowdsourced Black Box Web Penetration Testing of external web assets. The contract will identify and remediate vulnerabilities to enhance cybersecurity. Eligible U.S. firms must have a Declaration of Eligibility and comply with NATO procurement requirements. The RFQ is expected to be distributed in February 2026, with bids closing in March 2026.
The NATO Communications and Information Agency (NCIA) intends to issue a Request for Quotation (RFQ) for the procurement of Crowdsourced Black Box Web Penetration Testing (BBPT) of External Web Assets.
Potential U.S. prime contractors must 1) maintain a professionally active facility (office, factory, laboratory, etc.) within the United States, 2) be pre-approved for participation in NATO Competitive Procurement (NCP), 3) be issued a Declaration of Eligibility (DOE) by the Department of Commerce (DOC), and 4) register with NCIA’s eProcurement tool, Neo: https://www.ncia.nato.int/business/procurement/neo-eprocurement
The reference for the RFQ is RFQ-CO-424326-BBPT and all correspondence concerning the RFQ should include this reference.
Competition Type: Lowest Price Technically Compliant
SUMMARY OF REQUIREMENT
The scope of the contract is to provide crowdsourced Black Box Web Penetration Testing (BBPT) of external web assets. The objective is to identify, report, and support the remediation of vulnerabilities, reducing NATO’s exposure to cyber threats.
The awarded Contractor shall provide all personnel, technology, and non-personal services required to conduct black-box penetration testing on NATO’s external web assets.
Contractor responsibilities include recruiting and managing vetted researchers, operating a secure testing platform, and adhering to reporting and security protocols.
In coordination with the NATO Cyber Security Centre (NCSC) Point of Contact, The Contractor shall conduct up to 10 (ten) time-boxed challenges of 90 (ninety) days each per year.
The prospective contract will be Firm-Fixed Price with a period of performance of one (1) year plus two (2) 12-month option periods.
BECOMING ELIGIBLE TO BID
If you have a NCIA DOE that can be used on other NCIA NCP opportunities, please submit the DOE to Ms. Line Sigh, Senior Contracting Officer, at RFQ-CO-424326-BBPT@ncia.nato.int
If you do not have a DOE that can be used on other NCIA NCP opportunities, you will need a DOE from the Department of Commerce (DOC). Please follow the guidance below:
NCP requires that the U.S. Government issue a DOE for potential U.S. prime contractors interested in this project. Before the U.S. Government can do so, however, the U.S. Government must approve the U.S. firm for participation in NCP. U.S. firms are approved for NCP on a facility-by-facility basis.
The U.S. NCP application is a one-time application. The application requires supporting documentation in the form of 1) a company resume or capability statement indicating contracts completed as a prime contractor and 2) an annual report or set of financial documents indicating compilation, review, or audit by an independent CPA.
U.S. firms can download a copy of the U.S. NCP application from the following website:
https://www.bis.gov/about-bis/bis-leadership-and-offices/SIES/business-opportunities-nato
DOC is the U.S. Government agency that approves NCP applications. Please submit to the email address provided your application and supporting documentation (as attachments). If your firm is interested in a specific NCP project, please also include the following in the TEXT of your email:
- the title and/or solicitation number of the project
- the name/phone/email of the company employee who should receive the bid documents
After approval of your one-time NCP application, DOC will then know to follow up by issuing a DOE for the project. DOC will transmit the DOE to the NATO contracting agency.
IMPORTANT DATES:
Request a DOE (and, for firms new to NCP, submit the completed one-time NCP application): 30 January 2026
NCIA distributes the RFQ (planned): February 2026
Bid Closing (anticipated): March 2026
Contract Award (estimated): June 2026
NATO BUSINESS OPPORTUNITY: CROWDSOURCED BLACK BOX WEB PENETRATION TESTING (BBPT) OF EXTERNAL WEB ASSETS is a federal acquisition solicitation issued by DEPARTMENT OF COMMERCE. Review the full description, attachments, and submission requirements on SamSearch before the response deadline.
SamSearch Platform
AI-powered intelligence for the right opportunities, the right leads, and the right time.