Request for Information (RFI) -- DAST Tool

Quick Summary

The Social Security Administration (SSA), through its Web Application Security Team (WAST), has issued a Request for Information (RFI) to identify solutions for a Dynamic Application Security Testing (DAST) tool. This RFI aims to enhance application security, bolster FISMA metrics, and meet external audit requirements by providing black box testing capabilities. Responses are due May 19, 2026.

Scope of Work

The SSA currently utilizes static application security testing (SAST) and software composition analysis (SCA) tools (Checkmarx and Black Duck) for white box testing. This RFI seeks a DAST solution to perform black box testing, scanning applications as they execute to identify exploits not detectable through static analysis. The DAST tool is needed to:

• Better analyze SSA applications.
• Bolster FISMA metrics.
• Satisfy requirements from multiple external audits and assessments.
• Provide black box testing early in the development lifecycle to prevent exploits from reaching production.
• Support new requirements for penetration testing on Tier 1 applications and systems undergoing Authority to Operate (ATO) processes.

Contract & Timeline

• Type: Request for Information (RFI) / Market Research
• Product Service Code: 7A21 (Business Application Off The Shelf Software)
• Set-Aside: None specified
• Response Due: May 19, 2026, 6:00 PM ET
• Published: May 5, 2026

Evaluation

Responses to this RFI will be used for market research purposes to inform future acquisition strategies and identify potential solutions for the SSA's DAST requirements. This is for planning purposes only and does not constitute a solicitation or commitment to award a contract.

Additional Notes

This RFI is critical for the SSA to immediately support federal mandates and enhance its cybersecurity posture by integrating dynamic testing into its development lifecycle.