RFP for Network Security Penetration Testing Services
| Location: | North Carolina |
|---|---|
| Posted: | Jan 12, 2026 |
| Due: | Jan 15, 2026 |
| Agency: | Greenville Utilities |
| Type of Government: | State & Local |
| Category: |
|
| Solicitation No: | 25-83 |
| Publication URL: | To access bid details, please log in. |
| Bid Number | Title | Due Date | Other Files | Tab Sheet |
| 25-83 | RFP for Network Security Penetration Testing Services | Thu, 01/15/2026 - 02:00pm | - |
Attachment Preview
REQUEST FOR PROPOSALS
REQUESTING PROPOSALS FOR NETWORK SECURITY PENETRATION
TESTING SERVICES
for
GREENVILLE UTILITIES COMMISSION
PO Box 1847
Greenville, North Carolina 27835-1847
ISSUE DATE: NOVEMBER 25, 2025
PROPOSAL PACKAGES SHALL BE RECEIVED BY 2:00 PM (EST) ON January 15, 2026.
Page 1 of 21
PURPOSE OF REQUEST FOR PROPOSALS
The Greenville Utilities Commission (GUC) is seeking proposals from firms for a Network
Security Penetration Test.
Vendors submitting proposals must have experience doing assessments on
organizations with Supervisory Control and Data Acquisition (SCADA) systems. Vendors
who have experience conducting assessments with utilities are preferred. Project must
be completed and paid for in our current fiscal year that ends on June 30, 2026.
PROPOSALS SHALL BE RECEIVED BY 2:00 PM (EST) ON January 15,
2026. Proposals shall be submitted via e-mail to: haddocgc@guc.com. Attention: Cleve
Haddock, Lifetime CLGPO, Procurement Manager, Greenville Utilities Commission, 401
S. Greene Street, Greenville, North Carolina 27834. GUC reserves the right to reject any
and all Proposals.
Questions regarding this Request for Proposals (RFP) should be received by or before
December 12, 2025. Answers shall be communicated by December 19, 2025. All
questions shall be directed to the attention of Cleve Haddock, Lifetime CLGPO,
Procurement Manager, (252) 551-1533, at haddocgc@guc.com.
Scope of Services:
The services are to include, but not be limited to:
• Include all of GUC’s networks: corporate network and each of the SCADA
networks (Electric, Water, Wastewater, and Natural Gas)
• Number of external IPs: 22
• Number of internal IPs (Endpoints) accounts: 510
• Number of IT (non-SCADA) servers (Windows and Linux): 195
• Time allowed for reconnaissance and OSINT: 10 hours
Page 2 of 21
Internal Scope
• Wireless Security: Testing Wi-Fi configuration and access controls for both
corporate and guest networks.
• Attempt to discover and identify Personally Identifiable Information (PII) or other
high value documents of interest.
• Workstation/Endpoint Security: Testing security controls on typical user
workstations.
• Attempt to exploit and gain access to four identified SCADA networks with no
impact to the production system.
• Attempt to compromise the one provided non-production SCADA HMI client or
workstation from each of the 4 networks.
External Scope
• Attempt to gain remote access to as many networks or devices on network as
allowed by scope with no impact on production.
• Attempt to gain unauthorized access to systems, email, or other applications via
breached credentials, exploits or other offensive toolsets.
• Reconnaissance and OSINT - Look for any credentials, privileged or confidential
documents, items of proprietary interest.
Deliverables:
Conduct comprehensive network security penetration test and provide a detailed report
which includes:
• An Executive Summary
• A description of the methodology used to perform the assessment and any
standards they are adhering to.
• Findings of all items in Scope in Services with description, rationale,
remediation, and impact.
• All recommendations should be identified as either relating to industry best
practices, including the source of the best practice recommendation (such as a
Page 3 of 21
regulatory, compliance, or authorization scheme), or otherwise identified as the
opinion of the contractor and its team.
• A prioritized listing of findings with remediation suggestions.
• Findings should include description of exploits and vulnerabilities used in the
attack.
• An output of any vulnerability scans that were performed.
Contract Period:
It is the intent of Greenville Utilities Commission (GUC) to enter into a multi-year contract
at the time the contract is awarded by GUC to the successful proposer for a total
contract period not to exceed three (3) years. Prices shall remain fixed during the
first year with option for annual extensions at the same or negotiated prices for up to
two (2) additional years if market and service conditions so warrant and prove to be in
the best interest of GUC.
PROPOSAL REQUIREMENTS
All proposals must contain, at a minimum, the information listed below. Vendors are
asked not to submit advertising material in substitution for responding to below.
1. A Cover Letter.
2. Brief History of Firm.
3. Statement of Professional Qualifications: Include résumés of key staff proposed
to perform consulting and design work. One staff member should be designated
as the proposed Project Manager, with supporting staff identification.
4. List of Recent Similar Projects Completed: List should include projects with
similar scope proposed for this Project, and indicate which staff from the
proposed team, if any, participated in the design of each project. List must also
Page 4 of 21
include clients’ names, contact person, addresses, and telephone numbers for
each project for reference.
5. List of Subconsultants: If any subconsultants are used to assist with the services,
list the names of the firms along with professional qualifications and recent
similar projects completed.
6. Schedule of Rates: List rates charged on an hourly basis for each classification
of personnel.
7. Conceptual Project Schedule: Include a conceptual project schedule from project
kickoff to completion and total number of hours estimated to complete.
8. Location of Office: Geographic location of office assigned to perform work with
listing of key staff who actually work at that location on a permanent basis.
9. Special Considerations: Include any special considerations, conditions, or other
circumstances that is foreseen affecting the project.
10. Responses are limited to a total of 40 pages; however, an attachment of a
sample report can be beyond the 40-page limit. The font size shall not be
smaller than 11-point. E-mail your RFP Submission in a PDF. Format to:
haddocgc@guc.com.
SELECTION PROCESS
• Proposals should be received no later than 2:00 PM (EST) January 15, 2026. All
firms submitting proposals must be duly licensed to practice business in the State
of North Carolina.
• Screening of proposals by a staff committee should be completed by January 30,
2026. The staff committee will review the potential firm’s recent specialized
experience, firm’s staff qualifications, firm’s capacity to accomplish the work,
Page 5 of 21
This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
See also
...Follow Sources Sought - Installation, testing, and training of industrial and trade equipment... ...
DEPT OF DEFENSE
Bid Due: 6/17/2026
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.