GeM Service Provider · CERT-In Aligned · DPDPA Ready · Network & Web App VA/PT

Vulnerability Assessment on GeM India

Ogma provides CERT-In aligned vulnerability assessment and penetration testing services through the Government e-Marketplace (GeM) service categories. Government departments, PSUs, defence establishments, and autonomous bodies mandated to conduct periodic security assessments under CERT-In directives or DPDPA 2023 obligations can procure VA/PT directly via GeM — with compliant reporting, full audit documentation, and no separate RFP required for standard assessments.

Procure VA/PT via GeM
CERT-In
Aligned methodology and reporting format
DPDPA
2023 data protection compliance scope
30-day
Standard assessment-to-report delivery
GeM
Direct PO — no separate RFP for standard scope

VA/PT Services Available on GeM

CERT-In aligned security assessments — procurable via GeM service categories with full audit documentation.

Network Vulnerability Assessment

Internal and perimeter network VA — firewalls, switches, routers, servers, and endpoints. CVSS 3.1 scoring, risk-ranked findings, remediation roadmap. CERT-In information security practices aligned.

Web Application Penetration Testing

OWASP Top 10 + SANS 25 methodology. Covers authentication, injection, broken access control, SSRF, and business logic flaws. Suitable for government portals, e-governance apps, and public APIs.

Cloud Security Assessment (CSPM)

AWS, Azure, and GCP security posture assessment — IAM misconfigurations, storage exposure, network security groups, encryption gaps. CERT-In and MeitY cloud security guidelines aligned.

Mobile Application Testing

Android and iOS app security testing for government mobile apps (e.g. mGov, departmental apps). OWASP Mobile Top 10 methodology. Binary analysis, API security, and data storage review.

Infrastructure Hardening Review

CIS Benchmark-based configuration review for Windows Server, Linux, network devices, and virtualisation platforms. Identifies deviations from government hardening baselines (STQC/CERT-In).

DPDPA Compliance Assessment

Gap assessment for DPDPA 2023 obligations — data inventory, consent management, breach notification readiness, third-party processor controls, and technical safeguards. Deliverable includes compliance roadmap.

CERT-In Report Format

Reports structured for CERT-In submission, internal audit, and sector regulatory compliance.

Audit-Ready Reporting

VA/PT reports are structured to meet CERT-In submission requirements — executive summary, technical findings, CVSS scores, evidence screenshots, and remediation timelines. Accepted by internal audit, CERT-In, and sector regulators (RBI, SEBI, IRDA).

Periodic Assessment Scheduling

CERT-In directives require periodic VA/PT for critical government systems. Ogma manages assessment calendars, reminder scheduling, and year-over-year gap comparison reporting — single GeM service order, ongoing engagement.

Critical Vulnerability Escalation

For critical findings (CVSS ≥ 9.0), Ogma issues an immediate advisory and escalates to the designated CISO/IT head before the full report — enabling rapid patch prioritisation without waiting for report completion.

Frequently Asked Questions

Ogma's vulnerability assessment and penetration testing methodology follows CERT-In's Information Security Practices for Organisations. Assessment reports are structured for CERT-In submission and accepted by government internal audit committees.

CERT-In's 2022 directives require critical information infrastructure (CII) operators to conduct periodic security audits. DPDPA 2023 also requires significant data fiduciaries to implement appropriate technical safeguards — which VA/PT demonstrates. Many ministries and PSUs require annual VA/PT for their key systems.

Yes. Standard scopes (network VA, web app PT) are available as catalogue items on GeM. Custom scopes — covering specific applications, cloud environments, or hybrid infrastructure — can be procured via GeM's custom bid process.

Standard network VA: 5–10 business days assessment + 5 days reporting. Web application PT: 7–10 business days per application. Full report with executive summary, technical findings, and remediation roadmap delivered within 30 days of PO.

Yes. A complimentary re-test of critical and high findings is included in Ogma's standard VA/PT engagement — confirming that reported vulnerabilities have been remediated before the final clean report is issued.

Procure VA/PT via GeM

Ogma delivers CERT-In aligned vulnerability assessment and penetration testing through GeM. Government departments, PSUs, and defence can raise a GeM PO for network VA, web app PT, and DPDPA compliance assessment.

Contact Ogma for GeM VA/PT Services