NSE has clarified that vendors providing Co-Location as a Service(CaaS) facility are now required to also submit Vulnerability Assessment and Penetration Testing (VAPT) report. CaaS Vendors of the Exchange are required to submit System Audit Report to the Exchange as per the latest Terms of Reference (TOR).
VAPT should be conducted on completion of assessment. Any gaps identified in VAPT should be remedied on immediate basis and status of closure of findings should be submitted to Exchange within 3 months of submission of VAPT report.