Provision of Cybersecurity Consultancy Service to conduct a comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for the National Justice Information System (NJIS) Ecosystem in the Philippines
UNOPS
Provision of Cybersecurity Consultancy Service to conduct a comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for the National Justice Information System (NJIS) Ecosystem in the Philippines
Request for proposal
Reference:
RFP/2026/62464
Beneficiary countries or territories:
Philippines
Registration level:
Basic
Published on:
29-Apr-2026
Deadline on:
13-May-2026 15:59 0.00
Description
Tender description: Provision of Cybersecurity Consultancy Service to conduct a comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for the National Justice Information System (NJIS) Ecosystem in the Philippines
-----
IMPORTANT NOTE: Interested vendors must respond to this tender using the UNOPS eSourcing system, via the UNGM portal. In order to access the full UNOPS tender details, request clarifications on the tender, and submit a vendor response to a tender using the system, vendors need to be registered as a UNOPS vendor at the UNGM portal and be logged into UNGM. For guidance on how to register on UNGM and submit responses to UNOPS tenders in the UNOPS eSourcing system, please refer to the user guide and other resources available at: https://esourcing.unops.org/#/Help/Guides
Interested in improving your knowledge of what UNOPS procures, how we procure and how to become a vendor to supply to our organization? Learn more about our free online course on “Doing business with UNOPS” here
-----
IMPORTANT NOTE: Interested vendors must respond to this tender using the UNOPS eSourcing system, via the UNGM portal. In order to access the full UNOPS tender details, request clarifications on the tender, and submit a vendor response to a tender using the system, vendors need to be registered as a UNOPS vendor at the UNGM portal and be logged into UNGM. For guidance on how to register on UNGM and submit responses to UNOPS tenders in the UNOPS eSourcing system, please refer to the user guide and other resources available at: https://esourcing.unops.org/#/Help/Guides
Interested in improving your knowledge of what UNOPS procures, how we procure and how to become a vendor to supply to our organization? Learn more about our free online course on “Doing business with UNOPS” here
This tender has been posted through the UNOPS eSourcing system. / Cet avis a été publié au moyen du système eSourcing de l'UNOPS. / Esta licitación ha sido publicada usando el sistema eSourcing de UNOPS. Vendor Guide / Guide pour Fournisseurs / Guíra para Proveedores: https://esourcing.unops.org/#/Help/Guides
First name:
N/A
Surname:
N/A
This procurement opportunity integrates considerations for at least one sustainability indicator. However, it does not meet the requirements to be considered sustainable.
Gender issues
Social
The tender contains sustainability considerations addressing gender equality and women's empowerment.
Examples:
Gender mainstreaming, targeted employment of women, promotion of women-owned businesses.
| Link | Description | |
|---|---|---|
| https://esourcing.unops.org/#/Help/Guides | UNOPS eSourcing – Vendor guide and other system resources / Guide pour fournisseurs et autres ressources sur le système / Guía para proveedores y otros recursos sobre el sistema |
80101507
-
Information technology consultation services
New clarification added: Question 4: Are there any specific regulatory, compliance, or security standards that the VAPT engagement must align with beyond those already mentioned in the TOR (e.g., ISO 27001, NIST, PCI-DSS, CIS Benchmarks, OWASP ASVS)?Response 4: No additional regulatory, compliance, or security standards are mandatory beyond those already mentioned in the TOR (Section II: Schedule of Requirements).Question 5: Could you confirm whether previous VAPT assessments were conducted on the NJIS platform?Response 6: None.Question 6: How many IP address or URLs are there for both Internal & External?Response 7: For external, it's only 1 IP with a given domain name and communicates over https, DOJ will submit the URLs depending on the interoperability layer being communicated. For internal, it's about 3-4 IPs of separate VMs, all with domain names and communicating over https. DOJ can submit the current setup for the tester's reference.Question 7: Do you currently have a Security Operations Center (SOC) or monitoring capability in place during the VAPT testing period?Response 7: Yes, DOJ’s cyber security section from their Infrastructure Division will be requested to participate in this activity.
Edited on:
11-May-2026 13:23
Edited by:
webservice@unops.org
New clarification added: Question 3: We are currently finalising our local partner in the Philippines. Can we share the partner details before the project kickoff?Response 3: Local partner details should be provided upon submission of the proposal.
Edited on:
11-May-2026 13:17
Edited by:
webservice@unops.org
New clarification added: Question 2:We would like to clarify the preferred mode of engagement for the Primary VAPT Assessment and the Retest activities. For both External VAPT and Internal VAPT, please confirm whether the activities should be conducted Remotely (from outside the Philippines), or Onsite (within the Philippines)Kindly advise your preference for(remote vs onsite): 2.1. External VAPT – Primary Assessment. 2.2. External VAPT – Retest.2.3. Internal VAPT – Primary Assessment.2.4. Retest We look forward your response.Response 2:2.1. External VAPT – Primary Assessment: May be conducted remotely. A secure Virtual Private Network (VPN) connection is required to provide the testing team with controlled access to the identified external IP ranges and application URLs. The final connection method will be documented in the Rules of Engagement prior to testing.2.2. External VAPT – Retest: Shall be conducted remotely to ensure timely verification of remediated vulnerabilities.2.3. Internal VAPT – Primary Assessment: an onsite engagement is required for the internal testing phase.2.4. Retest: May be conducted remotely.Note:# Rules of Engagement (ROE): Regardless of the modality, a comprehensive ROE document will be signed by both parties before any testing begins. This will strictly define testing windows, IP addresses, emergency stop procedures, and the precise VPN connection details.# VPN Requirement: For any remote testing, bidders must propose a secure VPN solution. The DOJ shall not provide direct internet access to internal systems.# Data Security: Strict confidentiality and data handling procedures, as outlined in the original ToR, apply regardless of testing location.
Edited on:
11-May-2026 13:14
Edited by:
webservice@unops.org
New clarification added: Question 1: We would like to kindly check and confirm whether an entity based outside of the Philippines is eligible to participate and submit a proposal for this tender.Response 1: This tender is open to suppliers with valid registration in the Philippines or international suppliers with a partner in the Philippines. Therefore, a non-Philippines supplier is eligible as long as they form a partnership with a local supplier (through JV, etc.) for the submission. Refer to the eligibility details under the Particulars section and the Criteria section of this platform.
Edited on:
11-May-2026 12:22
Edited by:
webservice@unops.org
New amendment added #1: Dear Bidders,Please, be informed of the following amendments to the deadlines:Tender closing date: Wednesday 13 May 2026 at 11:59 PM (Philippine local time)Deadline for clarifications: Monday 11 May 2026 at 11:59 PM (Philippine local time)Expected Contract award date: 15 June 2026.This shall form an integral part of the tender; be guided accordingly.UNOPS
Edited on:
06-May-2026 06:09
Edited by:
webservice@unops.org