Multi-State Lottery Association
Date of Issuance: June 13, 2023 - Proposals to RFP Due July 28, 2023
Introduction
The Multi-State Lottery Association (MUSL) is an unincorporated non-profit government benefit
association owned and operated by thirty-nine (39) governmental lotteries (Member Lotteries).
MUSL assists both Member Lotteries and additional lotteries licensed to sell multi-jurisdictional
lottery games such as Powerball, in the operation and sale of those lottery games. As part of its
services to Member Lotteries, MUSL develops and maintains websites for the promotion of these
games.
MUSL is pursuing external and internal penetration and vulnerability testing from qualified
vendors.
Summary of Services Requested
MUSL is requesting proposals for a penetration test project for offices located in Iowa and seeks
to establish a non-exclusive agreement with a qualified Vendor.
MUSL expects the selected Vendor to provide a Project Manager who will be assigned to the
project for its duration, absent extenuating circumstances, such as termination of employment,
inability to complete the assignment, etc.
MUSL may request that the successful vendor enter a multi-year contract.
Timeline for the RFP
June 13, 2023 - Issue Request for Proposal.
July 7, 2023 - Written questions from interested Vendors due to MUSL. All questions should be
sent by email, subject line “2023 Pen Test” to This email address is being protected from spambots. You need JavaScript enabled to view it.
July 14, 2023 - Written responses to Vendor questions distributed to all interested Vendors.
Interested Vendors must express their interest before this date to receive the responses to Vendor
questions. The responses will not be posted publicly.
July 28, 2023 – Proposals Due and received by MUSL no later than 3:00 pm CDT. Vendors must
email a PDF of their proposal, subject line “2023 Pen Test” to This email address is being protected from spambots. You need JavaScript enabled to view it.
2
July 31, 2023 - Vendor proposal evaluation and selection process begins; evaluation team may
require teleconferences with Vendors submitting proposals. In-person presentations may be
requested at MUSL’s discretion.
August 14 – 18, 2023 (tentative) - Teleconferences, if necessary, will be held via Teams.
August 2023 - Successful Vendor selected; Contract negotiations.
It is anticipated that a project kick-off meeting will be held following successful contract
negotiations.
MUSL reserves the right to modify the schedule as may be necessary.
Service Requirements
MUSL seeks the following services:
1) Vulnerability Testing, including:
a) Recognizing Information security issues within MUSL through this exercise
b) Identification of misconfigured and unpatched devices that could be used to
compromise MUSL network that could lead to data exfiltration
c) Vulnerability Assessment, Verification, and Recommended Solution to mitigate
vulnerability in Local / remote networks (automated and manual)
d) Conduct simulated cyber-attacks on MUSL’s infrastructure
e) Validate protections and monitoring around high-value systems
f) Scan the network to understand topology and restrictions
g) Providing best practices or recommendations for remediation based on the findings.
2) Web application assessment and penetration test, including:
a) Comprehensive security assessment of the scoped web applications
b) Identify OWASP Top 10 vulnerabilities present
c) Exploit each flaw in an effort to gain access to internal environment
d) Check all input fields for input validation
e) Identify known command injection vulnerabilities
f) Provide balanced (cost: benefit) recommendations to remediate findings.
3) Other services related to the above and commonly included in this type of assessment
(Vendor’s proposals should identify these).
4) A follow-up assessment of vulnerabilities found after MUSL review and initial remediation.