Conduct Vulnerability Assessment and Penetration Testing (VAPT) on the Secure Data Management System (SDMS) Portals, ACE environment, National Benchmarking Portal (NBP)

The Buyer seeks an experienced Seller who has the capability to provide independent Cybersecurity Penetration Testing and Vulnerability Assessments on the Independent Health and Aged Care Pricing Authority (IHACPA) Cloud-based Secure Data Management System (SDMS) comprising of Citrix desktop, File Transfer Portal (FTP), Data Collection Portals and two additional cloud tenancy solutions, Australian Classification Exchange (ACE) portal and National Benchmarking Portal (NBP).

The Seller will undertake the review and provide IHACPA with a Draft report detailing any potential and actual security exposures identified and recommendations to address them, referencing the security risk exposure and risk ratings as detailed in the IHACPA Risk Management and Policy Framework.

Once remediations have been completed, the Seller will assess the remediations undertaken and validate that the potential and actual security exposures identified have been addressed and provide a FINAL report. The Seller to make further recommendations to address any remaining potential and actual security exposures not adequately addressed by the remediation work assessed. 

Estimated start date: Monday, 03 November 2025

Initial contract duration: 5 Months

Extension term: Other

Extension term details: 3 years, 3 extensions

Number of extensions: Buyer has not provided these details

Working arrangements: Remote

Industry briefing: A teams meeting will be arranged with the Sellers with invites to be forwarded to their nominated representatives. Time: 1 October 2025, 11:00 am AEST.

Additional budget information: Where IHACPA opts to extend the Contract, the Seller may apply indexation to their new quote, to be applied to the following 12 months.