Cybersecurity Pentesting Services

Background
The City of Roseville is seeking proposals from qualified and experienced cybersecurity firms to provide professional penetration testing services for its Information Technology (IT), Business Technology (BT), and Operational Technology (OT) environments. The City operates a complex technology ecosystem that supports municipal operations, public safety, utilities, and administrative services, which includes critical infrastructure components and sensitive data environments.

The goal of this contract is to protect the confidentiality, integrity, and availability of City systems and data, thereby maintaining public trust and ensuring uninterrupted services. The City's cybersecurity program aligns with regulatory frameworks such as CJIS, PCI-DSS, NIST SP 800-82, IEC 62443, and NERC CIP.

Work Details
The selected Consultant will provide professional cybersecurity penetration testing services to evaluate the security posture of the City’s information systems, applications, and network infrastructure. Services must be performed in a controlled manner without causing system outages or data loss. Specific testing services include:
- External network penetration testing to assess internet-facing systems for vulnerabilities.
- Internal network penetration testing to identify privilege escalation paths and access control weaknesses.
- Web application penetration testing for vulnerabilities like authentication flaws and injection attacks.
- Wireless network penetration testing for encryption weaknesses and unauthorized access risks.
- Cloud infrastructure testing for identity management and configuration weaknesses.
- Social engineering testing including deep fakes (if authorized).
- SCADA/ICS Testing to review endpoint configurations across City-managed devices.

Optional specialized services may include mobile application penetration testing, API security testing, IoT device testing, physical security testing, third-party security assessments, red/blue/purple team engagements, and insider threat simulations. Each engagement will require a comprehensive written report detailing findings with risk ratings and actionable remediation recommendations.

Period of Performance
The initial contract duration is three years with annual engagements expected to last approximately one to two weeks each year. The first annual pentest is anticipated around May-June 2026.

Place of Performance
Services will be performed at various locations within the City of Roseville's jurisdiction as determined by the specific systems or environments selected for each annual engagement.

Bidder Requirements
Proposers must be registered with the California Secretary of State to do business in California. All vendor staff performing services must undergo background checks at their expense. Proposals must include a signed Proposer’s Certification indicating compliance with all requirements outlined in the RFP.