Job Description

Contact: Rahil Khan, email: rahilk@vgroupinc.com, phone: 303 848 8897

Job Title: Penetration Tester

Duration: TBD based on Deliverable & Time Line

Location: Montpelier, VT

The Vermont Department of Motor Vehicles (DMV) is seeking a contractor to conduct cybersecurity penetration testing services on the following two distinct solutions.

The DMV seeks a cybersecurity contractor with extensive expertise in penetration testing to rigorously assess the security of VT TRIPS, with a focus on the Driver Services component, and VT Haul Pass, ensuring robust protection against potential cyber threats.

Penetration Testing Requirements:

• Black-box testing (unauthenticated + authenticated)
• External web app and REST endpoint testing
• Risk-ranked vulnerability report
• Retesting after remediation
• Log & packet trace submission
• Destruction attestation of test data
• U.S.-based testing & data residency
• Daily testing window: 8:00 AM 4:30 PM EST

REQUIREMENTS:

1. The selected contractor will work closely with ADS, AOT, Fast and ProMiles personnel as required during this engagement.
2. External web application penetration testing of VT TRIPS and VT Haul against their production-like environments. URLs provided at project launch.
3. External web application penetration testing against:
   1. VT TRIPS - two REST endpoints (provided at project launch)
   2. VT Haul Pass one REST endpoint (provided at project launch)
4. Perform penetration tests including black box testing on the web site(s) / endpoints defined above to assess the extent of a compromise an attacker can achieve by identifying and exploiting any vulnerabilities. Also testing as an authenticated user :
   1. VT TRIPS authenticated users, un-authenticated users (sites to be provided at project launch)
   2. VT Haul Pass - authenticated users, un-authenticated users (sites to be provided at project launch)
5. Comprehensive report of risk-ranked vulnerabilities/findings and associated exploits.
6. Following each penetration test and remediation of specific identified vulnerabilities, a retest will be performed specifically to determine whether the vulnerabilities were successfully remediated.
7. The contractor will log and trace every packet sent to Fast Enterprises for VT TRIPS and ProMiles VT Haul Pass as part of the test and shall provide log files to DMV/ADS as an addendum to the report deliverable(s).
8. Attestation of destruction of any information obtained by the contractor resulting from these penetration tests.
9. Penetration testing must be conducted from the continental US. All data obtained in the course of this engagement must always remain on continental US. If this is not possible, please explain.
10. The contractor will produce an initial report of any findings within 5 business days following the completion of the initial testing.
11. Contractor is authorized to perform this test during the testing period between 8:00 am and 4:30 pm EST. (blackout update dates/give as much time necessary/but not touch update windows.)
12. The contractor will provide the State with a draft report of any findings and results within 5 business days after the penetration testing is completed.
13. The report will include all identified vulnerabilities, criticality levels, steps to reproduce or screenshots and recommended corrective methods and actions.

PROJECT MANAGEMENT

PROJECT MANAGEMENT APPROACH

The Contractor shall follow project management methodologies that are consistent with the

Project Management Institute s (PMI) Project Management Body of Knowledge (PMBOK)

Guide.

Contractor staff will produce project deliverables using Microsoft Office products in v2007

or newer (Word, Excel, Project, Visio, etc.), and Adobe PDF, or other formats acceptable to

the State.

PROJECT DELIVERABLES

Describe required deliverables in detail. Under no circumstance should a SOW be developed or an SOW RFP be released where the deliverables are not quantified or the criteria for acceptance are not defined. Be clear and concise. The deliverables identified here should be directly tied to payment provisions.

PROJECT DELIVERABLES VT TRIPS

ID	Deliverables	Expected Completion:
VT TRIPS -1	Finalized project approach, plan and/or schedule for VT TRIPS	Within 5 business days of executed SOW Agreement
VT TRIPS -2	Initial penetration test of VT TRIPS and initial report of found vulnerabilities.	The State is requesting this occur Oct 6th 15th.
VT TRIPS-3	Retest of remediated findings from VT TRIPS as well as final report of found vulnerabilities	Within ( vendor to propose ) notification by DMV/ADS that remediations are completed.
VT TRIPS-4	All log files as described in Requirement #7 and attestation of destruction of all information obtained as part of the executed penetration tests.	Within 5 business days of final report (ID# VT TRIPS-3)

PROJECT DELIVERABLES VT Haul Pass

ID	Deliverables	Expected Completion:
VT Haul -1	Finalized project approach, plan and/or schedule for VT Haul Pass	Within 5 business days of executed SOW Agreement
VT Haul-2	Initial penetration test of VT Haul Pass and initial report of found vulnerabilities.	State s desire is Oct 20th 31st.
VT Haul-3	Retest of remediated findings from VT Haul Pass as well as final report of found vulnerabilities	Within ( vendor to propose ) notification by DMV/ADS that remediations are completed.
VT Haul-4	All log files as described in Requirement #7 and attestation of destruction of all information obtained as part of the executed penetration tests.	Within 5 business days of final report (ID# VT Haul-3)

Proposed Services Work Plan

1. Proposed Services: A description of the Contractor s proposed services to accomplish the specified work requirements, including dates of completion.
2. Risk Assessment: An assessment of any risks inherent in the work requirements and actions to mitigate these risks.
3. Proposed Tools: A description of proposed tools that may be used to facilitate the work.
4. Tasks and Deliverables: A description of and the schedule for each task and deliverable, illustrated by a Gantt chart. Start and completion dates for each task, milestone, and deliverable shall be indicated. Must include deliverables specified in SOW-RFP as well as other deliverables that may be proposed by Contractor.
5. Work Breakdown Structure: A detailed work breakdown structure and staffing schedule, with labor hours by skill category that will be applied to meet each milestone and deliverable, and to accomplish all specified work requirements.

____________________________________________________________________________________
V Group Inc. is an IT Services company which supplies IT staffing, project management, and delivery services in software, network, help desk and all IT areas. Our primary focus is the public sector including state and federal contracts. We have multiple awards/ contracts with the following states: AR, CA, DE, FL, GA, IL, KY, MD, ME, MI, NC, NJ, NY, OH, OR, PA, SC, TX, VA, and WA. If you are considering applying for a position with V Group, or in partnering with us on a position, please feel free to contact me for any questions you may have regarding our services and the advantages we can offer you as a consultant.

Please share my contact information with others working in Information Technology.

• Website:
• Facebook:
• Twitter:

Job Tags

For contractors, Work at office,

Similar Jobs