# USAC RFP: Penetration Testing as a Service - Capture Assessment

- Company: Find Evil LLC
- SAM URL: https://sam.gov/opp/b13eeb1c32b14563bee9f39cadf3a7fb

While Find Evil LLC offers elite DFIR and multi-cloud forensics expertise, the solicitation focuses heavily on Penetration Testing as a Service. A lack of federal past performance and pending socio-economic certifications limit competitive standing for a prime bid.

## Why This Call Lands Here
- Capability Misalignment: The core requirement is Penetration Testing as a Service (PTaaS), including ethical hacking and web application testing.
- Lack of Federal Past Performance: Federal past performance is typically expected to win a prime federal contract of this scope.
- Geographic Mismatch: The RFP explicitly requires Contractor Staff to be on-site at USAC Headquarters in Washington, DC at least 2 days per week.
- Pending Socio-Economic Status: Active certifications are required to gain set-aside or evaluation advantages.

## Recommended Capture Actions
- Record No Go as Prime; pursue only as subcontractor.
- Identify established federal cybersecurity contractors likely to bid on USAC IT-26-027.
- Produce a one-page capability-to-scope map that shows where the company fits and where it does not.

## Requirements That Shape the Proposal

### Security / Privacy
- Contractor must comply with Data Security Laws (FISMA, NIST SP 800-53 Rev 5). Any Cloud Service Offering used must be FedRAMP Authorized at a moderate risk level. (Required) - PRIVACY AND SECURITY ADDENDUM, 2. SECURITY PROVISIONS · p.40
- Contractor must notify USAC at incident@USAC.org and Privacy@USAC.org within one (1) hour of becoming aware of an actual or suspected Cybersecurity Incident or Privacy Incident. (Required) - PRIVACY AND SECURITY ADDENDUM, 2.14. Cybersecurity Incidents and Privacy Incidents · p.43
- Vendor must submit its insider threat program to USAC's Chief Privacy Officer and Chief Information Security Officer within 90 days of the Effective Date of the Contract. (Required) - PRIVACY AND SECURITY ADDENDUM, 2. SECURITY PROVISIONS · p.41

### Submission
- Proposals must be submitted via email to Procurement@usac.org with a copy to Mustafa.Kamal@usac.org no later than Monday, March 30, 2026, 11:00 AM ET. The subject line must only be 'RFP IT-26-027'. (Required) - SECTION E: INSTRUCTIONS AND EVALUATION CRITERIA, 1. GENERAL, B. PERIOD FOR ACCEPTANCE OF OFFERS · p.51
- Proposals must be presented in four separate volumes (Corporate Information, Technical Capability, Past Performance, Price). Each volume must be submitted in PDF format as a separate attachment to a single email. Times New Roman 12-point font is required (minimum 9-point for diagrams/tables). (Required) - SECTION E: INSTRUCTIONS AND EVALUATION CRITERIA, 4. PROPOSAL FORMAT & E. Presentation and Page Limitations · p.52
- Each volume must contain a cover page including: Org name, contact name, contact info, Unique Entity ID, date of submittal, a statement verifying the proposal is valid for 120 days, and the signature of a duly authorized representative. (Required) - SECTION E: INSTRUCTIONS AND EVALUATION CRITERIA, 5. PROPOSAL COVER PAGE · p.53

### Deliverables
- Contractor must perform penetration testing on 16 to 20 USAC mission systems at least annually in pre-production environments. Testing includes Ethical Hacking, Web Application, and Application Code testing. (Required) - SECTION B: STATEMENT OF WORK, 5. SCOPE OF WORK AND DELIVERABLES · p.7
- Contractor shall offer optional services to conduct three corporate-level social engineering campaigns annually, including Phishing, Vishing, Smishing, and AI emulation. (If Applicable) - SECTION B: STATEMENT OF WORK, 5. SCOPE OF WORK AND DELIVERABLES · p.9
- Contractor shall offer optional physical testing for Wi-Fi networks and physical access at USAC's HQ location annually. (If Applicable) - SECTION B: STATEMENT OF WORK, 5. SCOPE OF WORK AND DELIVERABLES · p.9

### Pricing
- Pricing must be submitted using Attachment 1 - Bid Sheet. The proposed price must be a fully loaded firm fixed price including wages, overhead, G&A, taxes, and profit. Travel expenses are not reimbursable. (Required) - SECTION E: INSTRUCTIONS AND EVALUATION CRITERIA, 6. PROPOSAL CONTENT, D. Price Proposal (Volume 4) · p.56
- Price the bid sheet by daily rate for the base year and all four option years. (Required) - Attachment 1 - Bid Sheet | | | | | | | |
- Provide pricing for small, medium, and large system-test sizes in Attachment 1 – Bid Sheet. (Required) - Attachment 1 - Bid Sheet | | | | | | | |

## Still to verify
- Business-status discrepancy (Needs confirmation): Profile claims active 8(a)/HUBZone/SDB, but Capability Statement says Pending/Eligible

## Opportunity Context
- Agency / customer: USAC (FCC-associated)
- Due date: 2026-03-30
- Place of performance: Washington, DC 20005

## Company Context
- Company: Find Evil LLC
- Core capabilities: Digital Forensics and Incident Response (DFIR), Compromise Assessment, Cloud Forensics
- Strengths: Elite DFIR capabilities, Multi-cloud forensics
- Major gaps: Lack of federal past performance, No DC-based personnel, Pending socio-economic certifications