The Indian government is set to announce a nationwide cybersecurity audit of critical government IT infrastructure in the coming days, with the process of selecting the agencies that will carry out the exercise entering its final stages.
A senior government official told Moneycontrol that the initiative is "at the final stages" and an announcement is expected "in a couple of days."
Documents reviewed by Moneycontrol show that NIC Services Inc. (NICSI), an organisation under the IT ministry,has completed the technical evaluation of bids, shortlisted seven firms for the next stage of the process, and currently financial evaluation is underway.
Records show that a government committee found that Qseap Infotech Pvt. Ltd., Ernst and Young LLP, AAA Technologies Ltd., AKS Information Technology Services Pvt. Ltd., KPMG, Deloitte Touche Tohmatsu India LLP and SecureyeS Techno Services Pvt. Ltd. had qualified at the "Eligibility & Technical compliance stage".
"The Committee recommends that the following bidders are qualified in the Eligibility & Technical compliance stage," the report said.
Two companies that had participated in the bidding process — Software Technology of India and STAQO Software Private Limited — failed to clear the technical stage.
Government noted that the "reasons of rejection have already been emailed to individual disqualified bidder" and provided a representation window before the financial bids are opened.
The shortlisted firms are expected to compete for empanelment as CERT-In-recognised auditors that will undertake what is likely to be one of the government's largest cybersecurity review exercises to date.
The initiative itself was first outlined in a Request for Empanelment floated by NICSI late 2025 for the "Comprehensive ICT Infrastructure Audit" of central ministries and departments, state governments, Union Territories, districts, and National and State Data Centres.
The tender envisages audits covering more than 60,000 ICT infrastructure nodes and approximately 40,000 data-centre nodes, including reviews of network configurations, security controls, cloud environments, vulnerability management practices and incident-response mechanisms.
The RFE had underscored the rationale behind the exercise, noting that "continuously evolving cyber threats have become a concern for the Government" and that government ICT infrastructure remains "one of the preferred targets of the malicious actors."
The upcoming security audit gains significance with the ongoing controversy regarding the Central Board of Secondary Education's online marksheet evaluation platform which was (ethically) hacked by teenagers. The incident has raised questions on the security infrastructure of the country's digital systems.