ocds-bidanga-UG-OP00453310
Consultancy for External Audits, Vulnerability, and Penetration Testing
Titre original : Consultancy services to conduct an External audits, vulnerability, and penetration testing
Deadline
July 8, 2026
Key information
- Type
- IT & Télécom
- Deadline
- July 8, 2026 at 12:00 AMClosed
- Estimated Value
- Not disclosed
- Language of Notice
- English
Description
REQUEST FOR EXPRESSION OF INTEREST
(CONSULTING SERVICES – FIRMS SELECTION)
UGANDA
UGANDA DIGITAL ACCELERATION PROJECT – GOVERNMENT NETWORK (UDAP-GOVNET)
PROJECT ID-P171305
LOAN NUMBER: IDA-68980
REFERENCE NUMBER: NITA-UDAP/CONS/25-26/00053
ASSIGNMENT TITLE: CONSULTANCY SERVICES TO CONDUCT AN EXTERNAL AUDITS, VULNERABILITY, AND PENETRATION TESTING
The Government of Uganda, represented by the National Information Technology Authority - Uganda (NITA-U), has received financing from the World Bank towards the cost of the Uganda Digital Acceleration Project - Government Network (UDAP-GOVNET) and intends to apply part of the proceeds for Consultancy services to conduct an External audits, vulnerability, and penetration testing.
The consulting services (“the Services”) include conducting External audits, vulnerability, and penetration testing. The primary goal of this project is to identify and address vulnerabilities and to ensure compliance with national and international cybersecurity standards, namely the National Information Security Framework (NISF) and ISO/IEC 27001:2022. The NISF is Uganda's mandatory national information security standard governing all Government Ministries, Departments, and Agencies (MDAs); it defines the minimum information security controls that Government agencies, as well as private- sector companies that own or operate protected computers, must apply to reduce their vulnerability to cyber threats. ISO/IEC 27001:2022, an internationally recognized standard for information security management systems, is used as a supplementary reference for global benchmarking. While the NISF provides the primary compliance baseline specific to Uganda's public-sector context, ISO/IEC 27001:2022 ensures findings are aligned with international best practice. This effort aims to strengthen the cybersecurity posture of Uganda's Government digital services, fostering a secure and resilient digital environment that supports the efficient delivery of public services
The Implementation period of the assignment is 25 Weeks from the date of signing the contract.
The detailed Terms of Reference (TOR) for the assignment can be found at the following website: https://www.nita.go.ug/opportunities/bids-and-tenders
The National Information Technology Authority - Uganda now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services.
The Shortlisting Criteria for the firm’s capacity and experience are:
- The Consulting Firm shall be a legally registered organization in Uganda or overseas, Proof of legal registration must be included in the proposal submission and be valid for the year of operation.
- The Consulting Firm shall be a legally registered and authorized to provide cybersecurity assessment and penetration testing services by NITA -U.
- The firm must demonstrate previous experience in cybersecurity consulting, specifically in conducting Vulnerability Assessments and Penetration Testing (VAPT). The firm should provide evidence of successful execution of at least five (5) similar assignments of comparable type, scope, and complexity, preferably involving Government institutions, critical national infrastructure or Data Centers and Operational Technology (OT) or Supervisory Control and Data Acquisition (SCADA) systems.
- The firm shall demonstrate depth of expertise, quality of reporting, and experience in conducting Vulnerability Assessment and Penetration Testing (VAPT) assignments. To facilitate this assessment, the firm shall submit at least two (2) redacted VAPT reports from previously completed assignments of similar scope and complexity. The submitted reports will be reviewed to evaluate the firm's methodology, technical rigor, clarity of findings, risk-rating approach, quality of recommendations, and adherence to recognized cybersecurity standards and best practices.
- The firm must have the current ISO 27001 Certification
- Submit the firm’s organogram to demonstrate the firm’s technical and managerial capability;
- The consulting firm must demonstrate the ability to field a team of experts with the required qualifications and experience for the assignment. These shall include at least: Team Leader / Senior Cybersecurity Consultant (1), Two (2) Penetration Testing Experts, Two (2) Cybersecurity Risk and Compliance Analysts, and Two (2) Systems and Infrastructure Security Experts.
The attention of interested consultants is drawn to Section III, paragraphs 3.15, 3.16, of the World Bank’s ‘Procurement in Investment Project Financing Goods, Works, Non-Consulting and Consulting Services, Seventh Edition September 2025 (Procurement in investment Project Financing; Goods, Works, Non-Consulting and Consulting Services), setting forth the World Bank’s policy on conflict of interest.
Consultants may associate with other firms to enhance their qualifications, but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected.
A consultant will be selected in accordance with the Least Cost Selection method set out in the World Bank Procurement Regulations “Procurement in Investment Project Financing Goods, Works, Non-Consulting and Consulting Services, Seventh Edition September 2025”.
Further information can be obtained at the address below during office hours at the address below 08:00 to 17:00 hours from Monday to Friday at the address given below.
Expressions of Interest (One original plus two copies) must be delivered in a written form to the address below (in person or by e-mail) on or before 8th July 2026 at 11:00am Consultants not located in the Country may submit their REOIs through the provided email address.
The packages must be clearly marked as; “Expression of Interest for Consultancy services to conduct an External audits, vulnerability, and penetration testing.”
The Procurement Officer,
National Information Technology Authority-Uganda Palm Courts, Plot 7A Rotary Avenue,1st Floor Kampala-Uganda,
Email: [email protected]
Any form of canvassing or lobbying for the tender shall lead to automatic disqualification.
EXECUTIVE DIRECTOR.
Tender Timeline
Publication
June 25, 2026
Bid Submission Deadline
July 8, 2026
Evaluation & Award
Pending
Contract Signature
Pending
Tender Documents
Connectez-vous pour télécharger le dossier et être averti automatiquement de toute modification de cet appel d'offres.