Re-tender: Provision of Cybersecurity Consultancy Service to conduct a comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for the National Justice Information System (NJIS) Ecosystem in the Philippines

New amendment added #1: Dear Bidders,Please note the tender deadlines were extended as follow:The submission deadline is extended to the 3rd July 2026 (at 11:59pm Philippine time),The clarification is re-open up to 29th June 2026 (at 11:59pm Philippine time),The expected Contract award date is revised to 31st July 2026.The above shall form an integral part of the tender; be guided accordingly.UNOPS

New clarification added: Question 13: We would appreciate clarification regarding Joint Venture (JV) participation for the subject RFP. Specifically, could you please confirm whether there is any limit on the number of entities that may form a Joint Venture for this engagement?Response 13: There is no limit on the number of JV members. However, bidders should assess the rationale and provide clear division of responsibility between partners, with indication of the type of the services to be performed by each.

New clarification added: Question 11: We would like to request for an extension on the proposal submission date. We are very interested to submit a proposal that would best suit your needs. We hope that you can extend it to July 3, 2026.Response 11: The submission deadline will be extended to 3 July 2026.Question 12: We kindly request a one-week extension of the proposal submission deadline for the subject RFP. The additional time will allow us to complete our internal review and submit a comprehensive proposal that fully addresses the requirements.Response 12: The submission deadline will be extended to 3 July 2026.

New clarification added: Question 4: We are in a different country and do not do AFS, we have a full Accounts review with the country Tax service and they issue a tax certificate - is this acceptable? Response 4: Yes, provide the available financial documents, clearly showing the required figures, the registration document, as well as your local partner’s registration document. Noting that this tender is open only to local suppliers or international suppliers with local partners.Question 5: Exclusions and Limitations of Engagement: Explicitly excluded from the engagement is source code, and static analysis, , this is a total contradiction between requirement to test for OWASP / OWASP API and validate international best practices , and CI/CD vulnerabilities.Response 5: The source code exclusion does not conflict with OWASP testing requirements. Dynamic testing, supported by available architecture and API documentation, can address the majority of OWASP Top 10 and API Security Top 10 vulnerabilities. Bidders are encouraged to clearly identify any coverage gaps arising from this exclusion in their technical proposal — transparency on limitations will be viewed favorably.Question 6: Infra  - what infra is there to verify - who owns it, who operates it , who will give authority ?Response 6: The Department of Justice, as system owner, will coordinate all necessary access and authorizations for the engagement. Specific infrastructure ownership, hosting arrangements, and access provisioning details will be documented in the Rules of Engagement, agreed upon with the selected service provider prior to commencement of testing.Question 7: PenTest  all discovered vulnerabilities - there are 844,000 known vulnerabilities. It is not normal practice to say "Test all"  - a threshold needs established but also complexity. For example - a vulnerability that needs a satellite interception? A fix price and time is not possible when the number and severity are unknown.Response 7: The engagement is bounded by the OWASP Top 10 and OWASP API Security Top 10 frameworks, not the universe of all known vulnerabilities. Bidders should propose a risk-based methodology with a clearly defined testing threshold, prioritizing exploitable and contextually relevant vulnerabilities using CVSS-based scoring. Further scope refinement based on the actual technology stack will be addressed in the Rules of Engagement prior to commencement. Bidders are encouraged to reflect these assumptions and complexities transparently in their technical and financial proposals.Question 8: Several times documentation, design, drawings are mentioned. These, along with the complete reference scope would be needed prior to a fixed price quote.Response 8: Relevant architecture diagrams, API specifications, and design documentation will be made available to the selected service provider during the Inception and Planning phase. Bidders should clearly state the assumptions underpinning their cost estimates, as proposals are necessarily based on currently available information. Any material scope discrepancies identified during the Inception phase may be raised with the GOJUST team for appropriate adjustment.Question 9: In section 3.3 it shows that the DoJ will receive the draft report and their feedback is to be incorporated into the final report submission. This invalidates any semblance of "Independent review" - please clarify.Response 9: The feedback process is not intended to reopen or alter the findings of the report. Rather, it is meant to provide the DOJ an opportunity to comment on the process and presentation of the output. What will be reviewed is the process more than the findings.Question 10: May we request a min of 1 week extension after the answers and responses regarding the scope, infra are received.Response 10: Yes, a minimum of one week extension will be made. 

New clarification added: Qestion 3: Our JV partner is registered in a different country (outside the Philippines). They do not require AFS but they can produce a Tax register statement.  Please confirm if this is acceptable.Response 3: Yes, provide the available financial documents and their registration document.

New clarification added: Question 2: Can you clarify what has explicitly changed in this Request for Proposal from the previous one?Response 2: The required financial capacity has been lowered and bidders have the possibility to meet the criteria through combination of JV members' sales turnover.

New clarification added: Question 1: Regarding this tender, there is no mention in it about the modality of the service (remote or on-premise). We request clarification on that regard, as the need for the sending of a techincal team to the Philippines changes significantly the approach on this tender.Response 1: Onsite engagement is required for the internal testing phase, but the external testing shall be conducted remotely. See details below:1.1. External VAPT – Primary Assessment: May be conducted remotely. A secure Virtual Private Network (VPN) connection is required to provide the testing team with controlled access to the identified external IP ranges and application URLs. The final connection method will be documented in the Rules of Engagement prior to testing.1.2. External VAPT – Retest: Shall be conducted remotely to ensure timely verification of remediated vulnerabilities.1.3. Internal VAPT – Primary Assessment: an onsite engagement is required for the internal testing phase.1.4. Retest: May be conducted remotely.