ANNEXURE A
TERMS OF REFERENCE
APPOINTMENT OF A REPUTABLE SERVICE PROVIDER TO PROVIDE PRIVILEGED ACCOUNT MANAGEMENT SOFTWARE
(PAM) FOR A PERIOD OF 36 (THIRTY-SIX) MONTHS TO THE NRCS (NRCS 011-2016/2017)
CLOSING DATE: 26 FEBRUARY 2018 @ 11H00
Enquiry:Malesele Sekhula
Telephone: 012 482 8714
E-mail:
ANNEXURE A
1TERMS OF REFERENCE / SPECIFICATIONS
1.1BACKGROUND
The National Regulator for Compulsory Specification (NRCS) was established on the 1st of September 2008, under the auspices of the National Regulator for Compulsory Specifications Act, 2008 (Act 5 of 2008) hereinafter called the NRCS Act.
The NRCS is primarily responsible for the administration of three Acts that reside under its jurisdiction, namely the NRCS Act, the Legal Metrology Act,2014 (Act 9 of 2014)hereinafter called the LM Act, and the National Building Regulationsand Building Standards Act, 1977(Act 103 of 1977) hereinafter NBR Act. The NRCS also administers regulations that fall under the jurisdiction of other governments departments, as per agreements.
The NRCS as the regulator consist of the following business units namely: Automotive; Chemicals, Mechanical and Materials, Electrotechnical as well as Food and Associated Industries.
The NRCS currently employed 320 of employees however the required services will only be rendered at the NRCS Offices as provided in the table below:
Site / Number of usersCape Town / 48
Durban / 20
Port Elizabeth / 15
Bloemfontein / 7
Gauteng / 212
2.PURPOSE
2.1Currently IT does not have any tool/software to view and monitor administrators privileged accounts activities, and this put our infrastructure at risk. Privileged Account Management (PAM) software will enhance security controls and account management in our systems.
2.2The PAM software will enable ICT Administrators to control and audit administrative access with privileged credentials through granular delegation and command control, keystroke logging and session audit, policy-based control, and secure and automated workflows.
3.SCOPE OF WORK
3.1 The software must achieve the following requirements but not limited:
3.1.1 Privilege Safe - Automate and secure the request, approval, return and automatic changing of administrative credentials across the entire diverse enterprise with a comprehensive audit trail of the process. Delivered via a secure, hardened appliance, the One Identitysolution alsoovercomes thesecurity concerns of passwords hard-coded into scripts as applications communicate with other applications or databases.
3.1.2 Granular Delegation & Command Control - Improve security and achieve compliance by implementing agent-based granular delegation of administrative access on Unix and Linux systems, as well as Active Directory and virtual desktops. One Identity also provides proxy-based command control for multiple operating systems, including Windows, Unix, Linux and Mac, as well as a variety of devices. The One Identity approach enables organizations to provide only the appropriate amount of access required for administrators to do their jobs across the widest range of systems and applications.
3.1.3 Indelible Audit Trails - Gain comprehensive audit of activities performed with elevated privileges across a variety of systems. Capabilities include keystroke logging for delegated root access, including through Sudo, proxy-based session audit of activities on Windows, Unix, Linux, Mac, Web applications, databases, mainframes and devices, and complete tracking of policy and activities associated with the privilege safe.
3.1.4 Policy-based Authorization - Base elevated access on strong policy and group membership within Active Directory—including support for Unix and Linux—and on dedicated, platform-specific policies within the delegation tools themselves. This strategy eliminates ad-hoc, box-by-box authorizations across the entire population of non-Windows systems.
3.1.5 Multifactor Authentication - Strengthen administrative access security with multifactor authentication for pre-determined actions, roles or systems. One Identity integrates its multifactor authentication solutions with Active Directory (and AD-based role management solutions), non-Windows systems and platform-specific privileged account delegation tools.
3.1.6 Privileged Governance - Take the hassle out of governing privileged users with an automated process for certifying and approving that only users that need access can request and gain privileged access. Integrated solutions for identity governance and privileged management to close security gaps unify identity management and streamline governance. From a single console, request, obtain, and attest to access, based on pre-defined policies that incorporate risk-assessment and segregation of duties — all with business workflows.
3.1.7 Centralized Sudo Administration - Streamline administration and easily provide access control reporting for sudo. The solution must enhances sudo 1.8.1 (and newer) with a central policy server, centralized management of sudo and the sudoers policy file, centralized reporting on sudoers access rights and activities, as well as keystroke logging of activities performed through sudo. The system should cater for the Windows, Unix, Linux environment.
3.1.8 Visibility- To include Standard reports, Entitlement (who has access to what), activities (per user, per safe, per password), recordings (PMS), email notifications can be configured to alert on any possible condition, SNMP notifications can be configured to feed into SIEM systems, activities on each password object can be viewed on the user interface, on demand, a dashboard view is available to get an overview of the system and scheduled reports.
3.2 Licenses - License required 350 (users) and 3 for (Administrators).
No / Component / Compliant(Indicate Yes or No) / Comments
1 / Privilege Safe
2 / Granular Delegation & Command Control
3 / Indelible Audit Trails
4 / Policy-based Authorization
5 / Multifactor Authentication
6 / Privileged Governance
7 / Centralized Sudo Administration
8 / Visibility
9 / Licenses
4.DURATION OF THE PROJECT
The duration of the project is for 36 (Thirty-Six) monthsfrom date of appointment and subject to the Service Level Agreement being concluded, agreed and signed by both Parties.
5.SPECIAL CONDITIONS OF THE TENDER
5.1The NRCS may, at its sole discretion award an assignment or any part thereof to one or more bidder.
5.2The NRCS may at its own discretion vary an instruction to decrease or increase theassignment.
5.3 The bidder may not cede or assign any part of its agreement with the NRCS nor subcontract any part of the assignment assigned to them by the NRCS to any third party.
5.4 The services will be based on post implementation time and material basis.
5.5 The quoted price must include inflation escalation and specify exchange rates used or where applicable in terms of the pricing of this bid for the whole duration of 36 (thirty-six) months.
5.6The NRCS may prescribe specifications to fit in with the operational requirements.
5.7The NRCS reserves the right to impose penalties should the service provider fail to perform the services within the services the period(s) specified in the contract, deduct from the contract price, as a penalty, a sum calculated on the unperformed services using the current prime interest calculated for each day of the delay until actual performance.
5.8The NRCS reserves the right to exercise the non-exclusive option.
5.9No services will be rendered without a contract being signed by both parties.
5.10The successful bidder employees are not employed by the NRCS and these services are rendered on ad hoc basis.
5.11The NRCS may disqualify a Bidder whose proposal contains a misrepresentation which is materially incorrect or misrepresented.
5.12For purpose of evaluation of this tender the NRCS will work on the following hours per month for support:
5.12.1 27 hours off-site
5.12.2 3 hours on-site (NRCS Offices Pretoria)
5.13 NRCS will not pay any travel costs to the NRCS offices Pretoria.
6.Procurement policies and procedure
6.1The general conditions of tender, the National Treasury General Conditions of Contract (GCC), Service Level Agreement and order will be applicable to this tender.
6.2The NRCS reserves the right to award the bid in full or part.
7. MINIMUM REQUIREMENTS
Please note that failure to lodge and adhere to the following requirements will lead to an immediate disqualification:
a. The prospective bidder must be registered on Central Supplier Database (CSD)prior to submitting bids
b.The following key information will be accessed and verified on CSD, namely:
- Business registration, including details of directorship and membership
- Tax compliance status
c. Completed and signed SBD forms 1, 3.1, 4, 6.1, 8 and 9
d.Late Submissions will not be accepted
e. Compliance to the scope of work outlined in clause 3 above
8. EVALUATION CRITERIA (FUNCTIONALITY)
For the purpose of comparison and in order to ensure a meaningful evaluation, bidders must submit detailed information in substantiation of compliance to the evaluation criteria mentioned (e.g. details of relevant previous work undertaken, letters from previous /current clients, etc.)
Minimum Required Score for functionality is: 60pointsout of 100 points and any bidder scoring less than 60points will not be considered for further evaluation. Service Providers that qualified pre-evaluation in terms of the functionality cut off points of 60 points will be evaluated in terms of price and preference points system.
Bidders meeting the minimum score of 60 points of out of 100 points will be invited for demonstrations and will at this time be provided with the demonstration guidelines.
Phases of SCM processes / Minimum qualification criteria for this phase / Total Points / WEIGHT / Minimum requirement to qualify for next phaseFunctionality Evaluation (Phase 1) / Confirm responsiveness of bids and verify documents submitted / 100 / 30 / 60% or more of functionality evaluation
Demonstration Evaluation (Phase 2) / Bidders must have achieved 70% on functionality evaluation to be evaluated on the demonstration phase / 100 / 70 / Score of 60% or more on overall functionality assessments
- Functionality (30%)
- Demonstration (70%)
Service Providers who meet that then qualify in terms of the functionality cut-off points of 60 points will then be evaluated in terms of price and preference points.
A detailed response to each element in the evaluation matrix must be prepared. Prospective bidders may include an Annexure.
DETAILED EVALUATION MATRIX
FUNCTIONALITY CRITERIA (PHASE 1)
NO / FUNCTIONALITY CRITERIA / SCORE / WEIGHT1 / Past Relevant experience
Demonstrate the following:
Must provide 3 (three) reference letters with contactable details on your clients’ letter heads where work of a similar nature was undertaken (The services provided should not be older than 24 (twenty-four months) / 3 and 3 contactable = (Value 5)
3 and 2 contactable = (Value 4)
3 and 1 contactable = (Value 3)
3 non contactable = (Value 2)
2 and less = (Value1)
None-submission = 0 / 20
2 / Methodology and Project Plan Approach: Submit project methodology approach for the scope of work as outlined in paragraph 3.1.1 to 3.1.8 (how would you achieve our requirements) / If the project methodology has information on only one of the items of scope of work as outlined (5 points)
If the project methodology has information on only two and three of the items of scope of work as outlined (5 points)
If the project methodology has information on only four and five of the items of scope of work as outlined (5 points)
If the project methodology has information on only six and seven of the items of scope of work as outlined (5 points)
If the project methodology has information on all eight of the items of scope of work as outlined (5 points)
None-submission = 0 / 40
3 / Training 3 (three) administrators including the training plan included in the scope of work / 10
4 / Turn-around times in responding to
queries as submitted by the NRCS /
- Score of 5 for below combination
Major call 4 hours
Standard call 8 hours
- Score of 3 for below combination
Major call 6 hours
Standard call 10 hours
If no information is provided you get a 0 in line with turn-around times provided by the NRCS / 10
5 / Experience of the core team to be allocated to the NRCS:
The Bidder must provide curriculum vitae of key personnel detailing their qualifications, experience and skills relevant to this type of resources or services required by the NRCS / 5= >15 years
4= >10-15 years
3= 10 years
2= 5-10 years
1= <5 years
0=None-submission / 20
TOTAL / 100
Minimum Threshold / 60
DEMONSTRATION FUNCTIONALITY (PHASE 2)
NO / FUNCTIONALITY CRITERIA / WEIGHT1 / Demonstration of Privilege Safe / 12.5
2 / Demonstration ofGranular Delegation & Command Control / 12.5
3 / Demonstration of Indelible Audit Trails / 12.5
4 / Demonstration of Policy-based Authorization / 12.5
5 / Demonstration of Multifactor Authentication / 12.5
6 / Demonstration of Privileged Governance / 12.5
7 / Demonstration of Centralized Sudo Administration / 12.5
8 / Demonstration ofVisibility / 12.5
TOTAL / 100
The bids will be evaluated on a scale of 0-5. Each panel member will rate individual criterion on the score sheet using the following scale:
Value / Description5 – Excellent / Meets and exceed the functionality requirements
4 – Very Good / Above average compliance to the requirements
3 – Good / Satisfactory and should be adequate for stated element
2 – Average / Compliance to the requirements
1 – Poor / Unacceptable, does not meet set criteria
0 / None-submission
A bidder/s that score less than60points out of 100 overall in respect of functionality will be regarded as submitting a non-responsive bid and will be disqualified.
Bidder/s that meetsthe minimum required percentage or minimum points, will be evaluated in terms of price and preference as per the PPPFA Act, No.5 of 2000 and its associated Regulations issued by the National Treasury 2017.
NOTE: For the purpose of comparison and in order to ensure a meaningful evaluation, bidders must submit detailed information in substantiation of compliance to the evaluation criteria mentioned-above.
Bid will be evaluated on the basis of the PPPFA 80/20-point system as presented in the Preferential Procurement Regulations 2017, for this purpose SBD 6.1 form should be scrutinized, completed and submitted together with your quotation. The 80/20-point system will be as follows:
B-BBEE Status Level of Contributor / Number of points(80/20 system)
1 / 20
2 / 18
3 / 14
4 / 12
5 / 8
6 / 6
7 / 4
8 / 2
Non-compliant contributor / 0
9. PACKAGING OF BID
The bidder shall place the Bid Proposal envelopes into an outer envelope or package, and must be clearly marked as follows:
Bid No. NRCS 011-2016/2017
Description: Appointment of a reputable service provider to provide Privileged Account Management software(PAM) for a period of 36
(thirty-six) months to the NRCS
Bid closing date and time: 19 February 2018at 11H00 (Submission of late bids will not be accepted)
Name and address of the bidder:______
NB: The bid proposal envelope shall contain one original hard copy document, clearly marked “original”, and three (3) hard copies, clearly marked “Copy” (i.e. three documents to be included in each envelope.
10. BID DOCUMENT CHECKLIST
A completed and signed bid document must be submitted in a file. The bid/tender documentation must be placed into a file with dividers between every schedule. The schedule must be numbered as follows:
Item / Description / Submitted (Yes/No)Schedule 1 / All documents for minimum requirements
Schedule 2 / The Functionality criteria documentation
Schedule 3 / Certified ID copies of the directors / trustees / shareholders and their shareholding percentages
Schedule 4 / Original and valid B-BBEE status levels verification certificate or a certified copy thereof, substantiating your B-BBEE rating.