NATO Business Opportunity: Crowdsourced Black Box Web Penetration Testing (BBPT) of External Web Assets

The NATO Communications and Information Agency (NCIA) intends to issue a Request for Quotation (RFQ) for the procurement of Crowdsourced Black Box Web Penetration Testing (BBPT) of External Web Assets.

Potential U.S. prime contractors must 1) maintain a professionally active facility (office, factory, laboratory, etc.) within the United States, 2) be pre-approved for participation in NATO Competitive Procurement (NCP), 3) be issued a Declaration of Eligibility (DOE) by the Department of Commerce (DOC), and 4) register with NCIA’s eProcurement tool, Neo: https://www.ncia.nato.int/business/procurement/neo-eprocurement 

The reference for the RFQ is RFQ-CO-424326-BBPT and all correspondence concerning the RFQ should include this reference.

Competition Type: Lowest Price Technically Compliant

SUMMARY OF REQUIREMENT

The scope of the contract is to provide crowdsourced Black Box Web Penetration Testing (BBPT) of external web assets. The objective is to identify, report, and support the remediation of vulnerabilities, reducing NATO’s exposure to cyber threats.

The awarded Contractor shall provide all personnel, technology, and non-personal services required to conduct black-box penetration testing on NATO’s external web assets.

Contractor responsibilities include recruiting and managing vetted researchers, operating a secure testing platform, and adhering to reporting and security protocols.

In coordination with the NATO Cyber Security Centre (NCSC) Point of Contact, The Contractor shall conduct up to 10 (ten) time-boxed challenges of 90 (ninety) days each per year.

The prospective contract will be Firm-Fixed Price with a period of performance of one (1) year plus two (2) 12-month option periods.

BECOMING ELIGIBLE TO BID

If you have a NCIA DOE that can be used on other NCIA NCP opportunities, please submit the DOE to Ms. Line Sigh, Senior Contracting Officer, at RFQ-CO-424326-BBPT@ncia.nato.int 

If you do not have a DOE that can be used on other NCIA NCP opportunities, you will need a DOE from the Department of Commerce (DOC). Please follow the guidance below:   

NCP requires that the U.S. Government issue a DOE for potential U.S. prime contractors interested in this project. Before the U.S. Government can do so, however, the U.S. Government must approve the U.S. firm for participation in NCP.  U.S. firms are approved for NCP on a facility-by-facility basis. 

The U.S. NCP application is a one-time application.  The application requires supporting documentation in the form of 1) a company resume or capability statement indicating contracts completed as a prime contractor and 2) an annual report or set of financial documents indicating compilation, review, or audit by an independent CPA.

U.S. firms can download a copy of the U.S. NCP application from the following website:

https://www.bis.gov/about-bis/bis-leadership-and-offices/SIES/business-opportunities-nato 

DOC is the U.S. Government agency that approves NCP applications. Please submit to the email address provided your application and supporting documentation (as attachments). If your firm is interested in a specific NCP project, please also include the following in the TEXT of your email:

- the title and/or solicitation number of the project
- the name/phone/email of the company employee who should receive the bid documents

After approval of your one-time NCP application, DOC will then know to follow up by issuing a DOE for the project.  DOC will transmit the DOE to the NATO contracting agency.  

IMPORTANT DATES:

Request a DOE (and, for firms new to NCP, submit the completed one-time NCP application): 30 January 2026

NCIA distributes the RFQ (planned): February 2026

Bid Closing (anticipated): March 2026

Contract Award (estimated): June 2026