The Department is seeking a contractor to provide cybersecurity penetration testing services for the Vermont Title, Registration, Identification and Permit System (VTTRIPS) application's publicly facing eServices portal. VTTRIPS is the implementation project name of the Fast DS-VS commercial off the shelf system from Fast Enterprises that will administer Driver and Vehicle Services for Vermont. The system is fully hosted by Fast Hosting Services The first phase of VTTRIPS is the Vehicle Services (VS) portion which is slated to go live November 13, 2023. DMV is seeking a computer security services provider exceptionally well versed in all facets of penetration testing to test VTTRIPS to ensure it is secured from malicious actors.
- The selected contractor will work closely with ADS, DMV and Fast Enterprises personnel as required during this engagement. 2. External web application penetration testing, of VTTRIPS against their "production like" environments. Two URLs. (Provided at project launch). 3. Endpoint penetration testing. One REST endpoint (provided at project launch) 4. Perform penetration tests including "black box" testing on the web site(s) / endpoints defined above to assess the extent of a compromise an attacker can achieve by identifying and exploiting any vulnerabilities. Also testing as an "authenticated user". (Number of user roles goes here) 5. Comprehensive report of risk-ranked vulnerabilities/findings and associated exploits. 6. Following each penetration test and remediation of specific identified vulnerabilities, a retest will be performed specifically to determine whether the vulnerabilities were successfully remediated. 7. The contractor will log and trace every packet sent to Fast Enterprises as part of the test and shall provide log files to DMV/ADS as an addendum to the report deliverable(s). 8. Attestation of destruction of any information obtained by the contractor resulting from these penetration tests. 9. Penetration testing must be conducted from US soil. All data obtained in the course of this engagement must always remain on US soil . If this is not possible, please explain. 10. The contractor will produce an initial report of any findings within 5 business days following the completion of the initial testing. 11. Contractor is authorized to perform this test during the testing period between 8:00 am and 4:30 pm EST. 12. The contractor will provide the State with a final report of any findings and results within 5 business days after the penetration testing is completed. 13. The report will include all identified vulnerabilities, criticality levels, steps to reproduce or screenshots and recommended corrective methods and actions.