Download the complete service offering docx format of vulnerability_assessment_services_definition.doc


1. Description of Service

MassIT Security Assessment and Consulting Group (SAC) provides ad-hoc Vulnerability Assessment services to those agencies wishing to deploy applications both internal to MAGNet as well as internet facing. Additionally, this service is of value to agencies wishing to examine the security posture of their existing environment(s).

This service includes:
  1. Footprint the system/environment (document / diagram findings).
  2. Scan (Interrogate environment for available services/shares/software, user acct. info).
  3. Enumerate (Identify all the possible doors/windows/entry points into the system(s) and open services; both legitimate & illegitimate, i.e., identify vulnerabilities).
  4. Assess results (Map out the intrusion/attack).
  5. Penetrate (Execute actual exploit - only when deemed necessary).
  6. Mitigate (Identify mitigation options).
  7. Develop and document possible risk management strategies.

This ad-hoc vulnerability assessment service does NOT replace the standard hardening and scanning requirements and processes of MassIT Security Office for all Internet-facing systems - but it can be used as a supplemental and complementary service to provide a higher assurance level for those systems.



Support services include:


2. Service Targets/Hours of Availability

Normally, individual vulnerability assessments will be completed within 15 business days, depending on system/environment availability.

It may be desirable for a customer to request multiple assessments during the development process of their application.

Service Requirement


Service AvailabilityService availability hours are 8:30 AM - 5:00 PM Monday through Friday, excluding holidays.

3. Service Reporting

Documentation is provided to the customer or their designee only, relative to the vulnerability testing results, analysis, and recommendations.

The following reporting information is provided to customers as part of this service:



Reporting Interval

Vulnerability Assessment ReportThe breadth and depth of these reports are specific to the customer's need. The standard report would include the results of the assessment steps and any associated mitigation recommendations.Ad-hoc - specific to each Vulnerability Assessment request.

4. Service Requests

COMiT Service Requests*


Lead Time-Business Days
Request a Vulnerability ScanThis is to request a scan to harden a server for production.5 Days
Request a Penetration TestThis is a request for assistance in quantifying and mitigating vulnerabilities in a system through penetration testing with a mitigation strategy.5 Days

*For new service requests only. To manage existing requests, please log into COMiT.

5. Customer Responsibilities

Customers and their business partners are expected to clearly identify the scope of a vulnerability assessment and to provide written authorization to MassIT-SAC for that assessment.

Information to be included in the scope statement must be the system(s) involved (including subnet information if the whole subnet is to be examined) as well as which of the 7 Vulnerability Assessment steps (enumerated in section 2.1 above) they are authorizing MassIT-SAC to perform.

For your convenience, you may also view a detailed list of customer responsibilities docx format of vulnerability_assessment_services_definition.doc



6. Chargeback Rate Information

For more information on Chargeback, including an overview of the program as well as previous fiscal year rates, please visit our Chargeback Services webpage.

The costs pertaining to this service offering are currently funded out of Overhead. No additional detail is available for review.


Reviewed August 30, 2016
Updated June 11, 2015
Published August 14, 2009
Created April 16, 2009: Information provided by the Security Office