NATO BUSINESS OPPORTUNITY: WEB ASSET SECURITY ASSESSMENT GREY BOX WEB PENETRATION TESTING

The NATO Communications and Information Agency (NCIA) intends to issue a Request for Quotation (RFQ) for Web Asset Security Assessment Grey Box Web Penetration Testing.

Potential U.S. prime contractors must 1) maintain a professionally active facility (office, factory, laboratory, etc.) within the United States, 2) be pre-approved for participation in NATO International Competitive Bidding (ICB), 3) be issued a Declaration of Eligibility (DOE) by the Department of Commerce (DOC), and 4) register with the NCI Agency’s eProcurement tool, Neo: https://www.ncia.nato.int/business/procurement/neo-eprocurement 

In addition, contractor personnel will be required to work unescorted in Class II Security areas. Therefore, access can only be permitted to cleared individuals. Only companies maintaining the appropriate personnel clearances will be able to perform the resulting contract.

The reference for the RFQ is RFQ-CO-424225-PEN and all correspondence concerning the RFQ should include this reference.

SUMMARY OF REQUIREMENTS

Please note that these requirements are being refined and will be included in further details as part of the RFQ.

Project Objective

To assess the security vulnerabilities and risks associated with NATO web assets. The security audit will be conducted using a greybox approach and following OWASP Application Security Verification Standard.

Scope of Work

1. Conduct manual penetration testing following a grey box approach for i) web assets exposed to the internet and ii) web assets not exposed to the internet.
2. Assess the security vulnerabilities and risks associated with the web assets.
3. Provide recommendations to mitigate the identified risks.

Period of Performance

A nine month basic period, followed by two 12-month optional periods. The basic period is anticipated to start in April 2025 and end on 31 December 2025. This timeline represents the anticipated duration of the project, and adjustments may be made as per the requirements of the solicitation process and subsequent contractual agreement

BECOMING ELIGIBLE TO BID

NATO ICB requires that the U.S. Government issue a DOE for potential U.S. prime contractors interested in this project. Before the U.S. Government can do so, however, the U.S. Government must approve the U.S. firm for participation in NATO ICB.  U.S. firms are approved for NATO ICB on a facility-by-facility basis. 

The U.S. NATO ICB application is a one-time application.  The application requires supporting documentation in the form of 1) a company resume or capability statement indicating contracts completed as a prime contractor and 2) an annual report or set of financial documents indicating compilation, review, or audit by an independent CPA.

U.S. firms can download a copy of the U.S. NATO ICB application from the following website:

https://www.bis.doc.gov/index.php/other-areas/strategic-industries-and-economic-security-sies/nato-related-business-opportunities 

DOC is the U.S. Government agency that approves NATO ICB applications. Please submit to the email address provided your application and supporting documentation (as attachments). If your firm is interested in a specific NATO ICB project at this time, please also include the following in the TEXT of your email:

- the title and/or solicitation number of the project
- the name/phone/email of the company employee who should receive the bid documents

After approval of your one-time NATO ICB application, DOC will then know to follow up by issuing a DOE for the project.  DOC will transmit the DOE to the NATO contracting agency.  

IMPORTANT DATES:

Request a DOE (and, for firms new to NATO ICB, submit the completed one-time NATO ICB application): 22 September 2025

NCIA distributes the RFQ (planned):: October 2025

Bid closing (anticipated): November 2025

Contract Award (estimated): January 2026