USPTO Posts RFI for Penetration Testing Services

The U.S. Patent and Trademark Office is seeking a contractor that can perform penetration testing services to improve its cybersecurity capabilities.

According to a request for information posted on SAM .gov, the contractor will serve as a red team that would simulate attacks on the USPTO’s networks by using methods and resources that threat actors currently deploy. The contractor should simulate up to advanced persistent threat actors, nation-state actors and non-government organizations.

RFI materials would only be disclosed to verified domestic U.S. contract entities and after executing a non-disclosure agreement. Interested companies have until Jan. 11 to prove that they are U.S.-based, FedScoop reported. The USPTO will subsequently provide a more thorough package of materials where companies can give more information about their services and past performance.

The RFI was issued after USPTO Chief Information Officer Jamie Holcombe announced plans to move to zero trust. Holcombe said in November that he wants encryption capabilities embedded into data centers to allow the agency to disseminate public data without compromising confidential information.

Penetration testing is an authorized simulated attack on a computer system to evaluate its security status. It uses the same resources and techniques used by actual hackers to show how systems and associated defense measures would respond to threats.

The National Institute of Standards and Technology issued a guide on how to assess cybersecurity measures, including pen tests. The guide includes how to develop an assessment policy, how to plan for and execute assessments and how to handle technical data.