bid specification template - welcome to … 1437... · web viewavaya cs1000e voip telephony...

BID SPECIFICATION

RFB REF. NO: 1437/2016

DESCRIPTION THE IMPLEMENTATION AND MAINTENANCE OF A VULNERABILITY

ASSESSMENT AND MANAGEMENT SOLUTION FOR THE

DEPARTMENT OF TRADE AND INDUSTRY

VENDOR BRIEFING

SESSION

NON COMPULSORY VENDOR BRIEFING SESSION WILL BE HELD AS

FOLLOWS:

DATE: 18 NOVEMBER 2016

TIME: 10:00 AM

VENUE: SITA AUDITORIUM, 459 TSITSA STREET, ERASMUSKLOOF

CLOSING DATE FOR

QUESTIONS / QUERIES

28 NOVEMBER 2016

RFB CLOSING DETAILS DATE: 05 DECEMBER 2016

TIME: 11:00AM

VENUE: SITA APOLLO – PONGOLA, 459 TSITSA STREET,

ERASMUSKLOOF

PUBLIC OPENING OF BIDS DATE: 08 DECEMBER 2016

TIME: 12:00 NOON

VENUE: SITA APOLLO – PONGOLA, 459 TSITSA STREET,

ERASMUSKLOOF

BID VALIDITY PERIOD 120 DAYS FROM THE CLOSING DATE

1 of 81CONFIDENTIAL

ContentsANNEX A: INTRODUCTION................................................................................................................................. 4

1. PURPOSE AND BACKGROUND......................................................................................................................... 4

1.1. PURPOSE........................................................................................................................................................41.2. BACKGROUND................................................................................................................................................4

2. SCOPE OF BID.................................................................................................................................................. 5

2.1. SCOPE OF WORK.............................................................................................................................................52.2. DELIVERY ADDRESS.........................................................................................................................................52.3. CUSTOMER INFRASTRUCTURE AND ENVIRONMENT......................................................................................5

3. TECHNICAL REQUIREMENT OVERVIEW............................................................................................................ 7

3.1. PRODUCT REQUIREMENT...............................................................................................................................73.2. SOLUTION REQUIREMENT..............................................................................................................................73.3. PROJECT AND SERVICES REQUIREMENTS.......................................................................................................8

4. BID EVALUATION STAGES................................................................................................................................ 8

ANNEX A.1: ADMINISTRATIVE PRE-QUALIFICATION...............................................................................................9

5. ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS..................................................................................9

5.1. ADMINISTRATIVE PRE-QUALIFICATION VERIFICATION...................................................................................95.2. ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS................................................................................9

ANNEX A.2: TECHNICAL MANDATORY, FUNCTIONALITY AND PROOF OF CONCEPT REQUIREMENTS.....................10

6. TECHNICAL MANDATORY.............................................................................................................................. 10

6.1. INSTRUCTION AND EVALUATION CRITERIA..................................................................................................106.2. TECHNICAL MANDATORY REQUIREMENTS...................................................................................................116.3. DECLARATION OF COMPLIANCE...................................................................................................................15

7. TECHNICAL FUNCTIONALITY.......................................................................................................................... 16

7.1. INSTRUCTION AND EVALUATION CRITERIA..................................................................................................167.2. TECHNICAL FUNCTIONALITY REQUIREMENTS..............................................................................................17

8. PROOF OF CONCEPT...................................................................................................................................... 56

ANNEX A.3: SPECIAL CONDITIONS OF CONTRACT (SCC).......................................................................................57

9. SPECIAL CONDITIONS OF CONTRACT.............................................................................................................. 57

9.1. INSTRUCTION...............................................................................................................................................579.2. SPECIAL CONDITIONS OF CONTRACT............................................................................................................579.3. DECLARATION OF ACCEPTANCE...................................................................................................................63

ANNEX A.4: COSTING AND PRICING..................................................................................................................... 65

10. COSTING AND PRICING.................................................................................................................................. 66

10.1. COSTING AND PRICING EVALUATION...........................................................................................................6610.2. COSTING AND PRICING CONDITIONS............................................................................................................6610.3. DECLARATION OF ACCEPTANCE...................................................................................................................6710.4. BID PRICING SCHEDULE................................................................................................................................68

ANNEX A.5: TECHNICAL SCHEDULES.................................................................................................................... 72

11. TECHNICAL SCHEDULES................................................................................................................................. 72

11.1. LOCATION SCHEDULE...................................................................................................................................72

2 of 81CONFIDENTIAL

11.2. EQUIPMENT AND QUANTITY SCHEDULE......................................................................................................7211.3. SOLUTION ARCHITECTURE............................................................................................................................7211.4. SERVICES AND PERFORMANCE SCHEDULE...................................................................................................7211.5. PROJECT AND DELIVERY SCHEDULE..............................................................................................................72

ANNEX A.6: TERMS AND DEFINITIONS................................................................................................................. 73

1. ABBREVIATIONS............................................................................................................................................ 73

2. DEFINITIONS................................................................................................................................................. 73

ANNEX A.7: BIDDER SUBSTANTIATING EVIDENCE................................................................................................74

ANNEX B: LOCAL CONTENT REQUIREMENTS (SBD 6.2)......................................................................................75

3 of 81CONFIDENTIAL

ANNEX A: INTRODUCTION

1. PURPOSE AND BACKGROUND

1.1. PURPOSE

The purpose of this specification is to obtain bids from Service Providers for the implementation

and maintenance of a Vulnerability Assessment and Management solution for the Department of

Trade and Industry (the dti).

1.2. BACKGROUND

The Office of the Chief Information Officer (OCIO) in the dti is responsible for managing and

maintaining the back office infrastructure hosting the business critical applications and services

that enable the dti to carry out its mandate as well as to ensure the ICT security of the department

as a whole.

Being a government department, information security is a major concern but it needs to be

balanced with the department’s requirement to work efficiently and effectively, as overly tight

information security controls can hamper the employees’ ability to carry out their function.

The goal of information security is to secure and protect information, and in so doing includes the

prevention and detection of unauthorised access and actions by users of a computer. To this end it

aims to achieve the privacy, confidentiality, and integrity and availability of information resources.

One of the Top 20 Critical Security Controls (Number 4 on the SANS CIS 20 Critical Security

Controls for Effective Cyber Defence) is Continuous Vulnerability Assessment and Remediation;

this provides the ability to pro-actively identify and repair known software vulnerabilities.

4 of 81CONFIDENTIAL

2. SCOPE OF BID

2.1. SCOPE OF WORK

The supply, installation, integration and operationalisation of an on-premise Vulnerability

Management solution for the dti that will scan and manage vulnerabilities on 1000 identified

devices.

(1) To meet the scope of work, bidders are required to:

(a) Provide an implementation strategy, including project schedule;

(b) Complete the scope of work within three (3) months from the date of appointment;

(c) Integrate with the dti's existing identity management solution (Active Directory or E-Directory);

(d) Provide maintenance and support on the product for a period of three (3) years;

(e) Provide training and knowledge transfer to the dti’s nominated resources;

(f) Provide user manuals and system documentation to the dti for the implemented solution.

(2) The scope of work excludes the following –

(a) N/A

2.2. DELIVERY ADDRESS

The goods and services must be provided at the physical locations as per section 11.1.

2.3. CUSTOMER INFRASTRUCTURE AND ENVIRONMENT

(1) Product baseline

(a) Specific notable applications within the environment include:

(i) SAP 7 or Later

(ii) JBoss 4 or later

(iii) Apache 2

(iv) IIS 6.5 or later

(v) SQL Server 2005 or later

(vi) SAP Sybase

(vii) MySQL

(viii) Novell E-Directory

(ix) Novell GroupWise

(x) Microsoft Active Directory

(xi) Microsoft Dynamics

(xii) Microsoft Exchange

5 of 81CONFIDENTIAL

(xiii) Microsoft DNS

(xiv) Bind DNS

(xv) Proxy server appliances

(xvi) Trend Micro End User protection suite

(2) Infrastructure baseline

(a) The departments infrastructure consists predominantly of the following components;

(i) Avaya Networking solutions

(ii) Cisco Routing and switching solutions

(iii) Avaya CS1000E VOIP Telephony platform

(iv) Avaya Contact centre solutions

(v) Lexmark Printing solution

(vi) Solarwinds Network Monitoring solution

(3) Operating environment

(a) The dti makes use of a multitude of operating systems:

(i) Microsoft Windows server 2000 or Later,

(ii) Microsoft Windows XP or later

(iii) SuSE Linux 9 or later

(iv) OpenSuSE 9 or later

(v) Ubuntu 7 or later

(vi) Redhat 6.5 or later

(vii) Checkpoint Operating Systems

(viii) Specific purpose built Appliances

6 of 81CONFIDENTIAL

3. TECHNICAL REQUIREMENT OVERVIEW

3.1. PRODUCT REQUIREMENT

(1) Vulnerability Management Solution

(a) Agent based and agentless vulnerability scanning.

(b) Deployed across an initial asset base of a maximum of 1000 assets.

(c) Scalable to at least 2500 assets (the additional 1500 licences are not part of this bid and if required would be bought separately).

(d) Including a centralised management console with live threat tracking and reporting.

(2) Hardware

(a) Able to run as an appliance, or on SLES Linux or Windows Server 2008 or later (only in a virtualised [VMWare 5.5 or later] environment).

(b) Agents and agentless scanners able to support all the asset environments, operating systems and databases as defined in 2.3 above.

(c) Provision of hardware as part of the solution to the dti.

(3) Network

(a) Able to support local and wide area network deployment

(b) Management of agent or log file transfer from asset to the central system must be able to be managed below 150kb/s.

(4) Documentation and Training

(a) Product solution technical documentation and guides (technical, administrator, and user).

(b) Product solution technical and administrator training to facilitate skills transfer by the end of the 36 month maintenance and support period.

3.2. SOLUTION REQUIREMENT

A turnkey solution is required in line with the product requirements as specified in Section 3.1. Additional details in terms of target architecture and solution integration are:

(1) SOLUTION TARGET ARCHITECTURE

(a) Management of vulnerabilities on 1000 assets across the dti’s infrastructure.

(b) Deployed across 1 campus area network and local locations and 5 wide area locations (i.e. the tool should also be able to scan from a single location to locations attached to the wide area network).

(c) Centralised vulnerability management operations centre for monitoring and managing all identified vulnerabilities and alerts.

(d) Solution hardware and software deployed at a single location as specified in section 11.1.

(2) SOLUTION INTEGRATION REQUIREMENTS

7 of 81CONFIDENTIAL

(a) Integration into the dti’s authentication environments of Microsoft Active Directory and e-Directory.

(b) Deployment onto the asset/device, server, workstation, operating system, database, and application.

3.3. PROJECT AND SERVICES REQUIREMENTS

(1) PROJECT DELIVERY SCHEDULE AND PERFORMANCE

(a) Solution design, installation and implementation - from appointment of the Supplier to sign-off of the project – to take no more than 3 calendar months/13 calendar weeks or 93 calendar days.

(2) SERVICE DELIVERY SCHEDULE AND PERFORMANCE METRICS

(a) Provision of on-site maintenance and support - between the hours of 08h00 to 16h30 Monday to Friday - of the implemented Vulnerability Management solution.

(b) Vulnerability Management solution patch and update management as part of the on-site maintenance service in accordance with the product manufacturers patch and update schedule.

(c) Issue and defect resolution with a turn-around time of 24 hours.

(d) Skills transfer to identified dti staff to commence within 6 months of the contract being awarded and continue till the conclusion of the 36 month maintenance and support contract.

4. BID EVALUATION STAGES(1) The bid evaluation process consists of several stages that are applicable according to the

nature of the bid as defined in the table below.

Stage Description Applicable for this bidStage 1 Administrative pre-qualification verification YESStage 2A Technical Mandatory requirement evaluation YESStage 2B Technical Functionality requirement evaluation YESStage 2C Technical Proof of Concept requirement evaluation NOStage 3 Special Conditions of Contract verification YESStage 4 Price / B-BBEE evaluation YES(2) The bidder must qualify for each stage to be eligible to proceed to the next stage of the

evaluation.

8 of 81CONFIDENTIAL

ANNEX A.1: ADMINISTRATIVE PRE-QUALIFICATION

5. ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS

5.1. ADMINISTRATIVE PRE-QUALIFICATION VERIFICATION

(1) The bidder must comply with ALL of the bid pre-qualification requirements in order for the bid to be accepted for evaluation.

(2) If the Bidder failed to comply with any of the administrative pre-qualification requirements, or if SITA is unable to verify whether the pre-qualification requirements are met, then SITA reserves the right to –

(a) Reject the bid and not evaluate it, or

(b) Accept the bid for evaluation, on condition that the Bidder must submit within 7 (seven) days any supplementary information to achieve full compliance, provided that the supplementary information is administrative and not substantive in nature.

5.2. ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS

(1) Submission of bid response: The bidder has submitted a bid response documentation pack –

(a) that was delivered at the correct physical or postal address and within the stipulated date and time as specified in the “Invitation to Bid” cover page, and;

(b) in the correct format as one original document, two copies and one CD.

(2) Attendance at compulsory briefing session: If a compulsory briefing session was called, then the bidder has signed the briefing session attendance register using the same information (bidder company name, bidder representative person name and contact details) as submitted in the bidders response document.

(3) Registered Supplier. The bidder is, in terms of National Treasury Instruction Note 3 of 2016/17, registered as a Supplier on National Treasury Central Supplier Database (CSD).

9 of 81CONFIDENTIAL

ANNEX A.2: TECHNICAL MANDATORY, FUNCTIONALITY AND PROOF OF CONCEPT REQUIREMENTS

6. TECHNICAL MANDATORYPurpose: Technical Mandatory requirements are the absolute minimum requirements to fulfil the Business Objective;

6.1. INSTRUCTION AND EVALUATION CRITERIA

(1) The bidder must comply with ALL the requirements by providing substantiating evidence in the form of documentation or information, failing which it will be regarded as “NOT COMPLY”.

(2) The bidder must provide a unique reference number (e.g. binder/folio, chapter, section, page) to locate substantiating evidence in the bid response. During evaluation, SITA reserves the right to treat substantiation evidence that cannot be located in the bid response as “NOT COMPLY”.

(3) The bidder must complete the declaration of compliance as per section 6.3 below by marking with an “X” either “COMPLY”, or “NOT COMPLY” with ALL of the technical mandatory requirements, failing which it will be regarded as “NOT COMPLY”.

(4) The bidder must comply with ALL the TECHNICAL MANDATORY REQUIREMENTS in order for the bid to proceed to the next stage of the evaluation.

10 of 81CONFIDENTIAL

6.2. TECHNICAL MANDATORY REQUIREMENTS

TECHNICAL MANDATORY REQUIREMENTS Substantiating evidence of compliance(used to evaluate bid)

Evidence reference(to be completed by bidder)

(1) BIDDER CERTIFICATION / AFFILIATION REQUIREMENTS

(a) The bidder must be a certified supplier and installer of the proposed product solution.

In substantiation of response, bidders must provide a valid OEM certificate certifying their organisation for the proposed product solution.

(2) BIDDER EXPERIENCE AND CAPABILITY REQUIREMENTS

(a) The bidder must have at least 5 years relevant experience in installing, maintaining and supporting the proposed Vulnerability Management Solution of the scope and size required in terms of this bid.

In substantiation of this the bidder must provide letters of reference - on the client’s letterhead -from clients demonstrating a cumulative experience of 5 years. Letters of reference are to contain the following details: Client name:

Services/scope of work provided:

Technology tools used:

Service delivery timelines (start & end dates):

Description of the type of resources allocated to the client:

Client contact details:

Name:

Designation:

Telephone Number:

e-mail address:




(3) BIDDER PRESENCE REQUIREMENTS

None

(4) PRODUCT OR SERVICE TECHNICAL REQUIREMENTS

(a) The proposed solution must be an on-premise solution.

Substantiate by providing references from the proposed product technical specification documentation indicating that all scan data will be retained on premise at all times, and no information detected, or utilised, by the solution will leave the department’s infrastructure.

(b) The solution must be able to scan a minimum of one thousand (1000) IP addresses, and must be scalable to scan a total of two thousand five hundred (2500) IP addresses if required in the future.

Substantiate by providing references from the proposed product technical specification documentation.

(c) The proposed solution must cater for both Agent and Agentless scanning abilities.

Substantiate by providing references from the proposed product technical specification documentation.

(d) Scan result sent across the corporate network (between agents and/or devices and the proposed solution) must be encrypted using a recognised encryption algorithm.

Substantiate by providing references from the proposed product technical specification documentation. These references must detail the encryption methods supported.

(e) The solution must be able to provide vulnerability assessment of Microsoft operating systems Windows 2000 Server or later, and Windows XP desktop or later.

Substantiate by providing references from the proposed product technical specification documentation. These references must detail the Microsoft operating systems supported.




(f) The solution must be able to provide vulnerability assessment of the following virtualisation technologies:

VMWare ESX Server 4.0 and later VMware Workstation 7.0.x and later XEN Virtual box Microsoft Hyper-V

Substantiate by providing references from the proposed product technical specification documentation. These references must detail all virtualisation technologies supported.

(g) The solution must be able to provide vulnerability assessment of the following SQL database technologies:

Microsoft SQL Server 2005 32/64 bit and later Oracle 7 and later Sybase ASE 14 and later MySQL 4 and later

Substantiate by providing references from the proposed product technical specification documentation. These references must detail all SQL database technologies supported.

(h) The solution must be able to provide vulnerability assessment of the following Linux/UNIX operating systems:

SuSE SLES 9 and later OpenSuSE 9 and later Ubuntu 9 and later RedHat (all versions) HPUX 10.20 and later

Substantiate by providing references from the proposed product technical specification documentation. These references must detail all operating system versions supported.

(5) PRODUCT OR SERVICE FUNCTIONAL REQUIREMENT

(a) The proposed solution must be a Vulnerability Lifecycle Management tool with vulnerability

Provide details on whether vulnerability correlation is supported in the proposed product/solution,




correlation. including references to the standard product functional specification documentation.

(b) The proposed solution must provide complete visibility of and reporting on identified vulnerabilities through a single management console.

Substantiate compliance with this requirement by describing how identified vulnerabilities are consolidated and presented through a single management console. To this end bidders may reference both the proposed solution architecture in 7.2.3.a, as well as the proposed solution technical specification documentation.

(c) The product must facilitate asset management where assets have more than one IP address. Assets with more than one IP address must be correlated as one asset to ensure that the vulnerability scans are accurate.

Substantiate compliance with this requirement by detailing how multiple IP addresses per asset are managed in the proposed solution, and how correlation of vulnerabilities identified are consolidated per asset.

(6) INTEGRATION REQUIREMENT

(a) It is required that the proposed product solution integrate with existing authentication methods including LDAP, and SecureID/RADIUS to authenticate users access the proposed solution.

The bidder is required to cross reference and attach the applicable product technical specifications to clearly depict compliance with this requirement.


6.3. DECLARATION OF COMPLIANCE

Comply Not ComplyThe bidder declares by indicating with an “X” in either the “COMPLY” or “NOT COMPLY” column that –

(a) The bid complies with each and every TECHNICAL MANDATORY REQUIREMENT as specified in SECTION 6.2 above; AND

(b) Each and every requirement specification is substantiated by evidence as proof of compliance.


7. TECHNICAL FUNCTIONALITY

7.1. INSTRUCTION AND EVALUATION CRITERIA

(1) The bidder must complete in full all of the TECHNICAL FUNCTIONALITY requirements.

(2) The bidder must provide a unique reference number (e.g. binder/folio, chapter, section, page) to locate substantiating evidence in the bid response. During evaluation, SITA reserves the right to treat substantiation evidence that cannot be located in the bid response as “NOT COMPLY”.

(3) Evaluation per requirement. The evaluation (scoring) of bidders’ responses to the requirements will be determined by the completeness, relevance and accuracy of substantiating evidence. Each TECHNICAL FUNCTIONALITY requirement will be evaluated using a maximum 5 point scale. For the details of each requirement’s evaluation criteria please refer to the specific item.

(4) Weighting of requirements: The full scope of requirements will be determined by the following weights:

No. Technical functionality requirements Weighting1. Bidder Certification And Proficiency Requirements 0%2. Bidder Experience And Capability Requirements 5%3. Product Or Service Functional Requirement 85%4. Product Performance Requirements 10%

TOTAL 100 %(5) Minimum threshold. To be eligible to proceed to the next stage of the evaluation the bid must achieve a minimum threshold score of 70%.


7.2. TECHNICAL FUNCTIONALITY REQUIREMENTS

TECHNICAL FUNCTIONALITY REQUIREMENTS Substantiating evidence and evaluation criteria(used to evaluate bid)

Substantiation reference(to be completed by bidder; If applicable provide a unique reference to locate substantiating evidence in the bid response Annex A.7)

(1) BIDDER CERTIFICATION AND PROFICIENCY REQUIREMENTS

Not applicable for this bid

(2) BIDDER EXPERIENCE AND CAPABILITY REQUIREMENTS

(a) The bidder makes use of known and accepted industry standards in defining, designing, implementing and maintaining/supporting their Vulnerability Management solutions.

In substantiation of response, bidders should provide details of the organisation’s published methodologies and processes for enterprise architecture, solution architecture and project implementation, and operational support and maintenance for the proposed product solution.

0=No methodologies or processes provided1=Published methodologies provided for Enterprise or Solution Architecture only3=Published methodologies provided for Enterprise and Solution Architecture, as well as Project Management5=Published methodologies provided for Enterprise & Solution Architecture, Project Management and




processes for Operational Support and Maintenance.(3) PRODUCT OR SERVICE FUNCTIONAL REQUIREMENT

(a) The bidder must ensure that the proposed solution architecture is capable of delivering the requested scope, and that it contains all the necessary component technology products in support of an industry standard Vulnerability Management Solution.

Substantiate by providing a documented proposed solution architecture that details all technical building blocks in the solution in support of this requirement. The document should contain both diagrams and narrative so as to comprehensively describe the solution architecture.

0=No documented solution architecture provided1=Product documentation provided only3=Product documentation provided together with a solution architecture diagram depicting the solution in the dti’s network5=Product documentation provided together with a solution architecture diagram depicting the solution in the dti’s network together with a narrative explaining how the on-premise solution will cater for the device types, dispersed locations and centralised management console.

(b) Identified vulnerabilities must be automatically Substantiate by cross-referencing the proposed




ranked according to the vulnerabilities risk. This should be achieved by correlating asset types and vulnerability data to achieve a vulnerability ranking.

solution functional specification documentation to clearly depict compliance with this requirement.

0=No product documentation provided or the solution does not support this requirement1=Product documentation provided gives evidence of vulnerability correlation capabilities3=Product documentation gives evidence of vulnerability correlation capabilities by asset and a vulnerability ranking by severity5=Product documentation gives evidence of vulnerability correlation capabilities by asset with a calculated vulnerability ranking that can be configured per asset and vulnerability type

(c) The solution must provide possible vulnerability remediation information by combining vulnerability type, vulnerability severity, and asset criticality information to quickly prioritise and address violations and vulnerabilities on systems and devices.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement.

0=No product documentation provided or the solution does not support this requirement1= Product documentation gives evidence of




vulnerability correlation capabilities by asset and a vulnerability ranking by severity only3=Product documentation gives evidence of the capability to provide remediation information based on either asset type or vulnerability severity5= Product documentation gives evidence of the capability to provide remediation information based on both asset type and vulnerability severity

(d) The solution must provide an audit trail of vulnerability scans by generating conclusive evidence of: expected and actual scan results, assets not scanned, failed scans, and new assets discovered that are not being scanned.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement. If available, the bidder should provide samples of such audit trails as part of their submission.

0= No sample audit trails provided or the solution does not support this requirement1= Sample audit trails provided but these do not cover all audit trail types requested3= Sample audit trails cover actual scan results, failed scans and new assets discovered as a minimum5= Sample audit trails cover expected and actual scan




results, failed scans, assets not scanned, and new assets discovered

(e) Provide an agentless network based scanning solution which can efficiently scan networks to identify assets, and then fingerprint them to determine their operating system and any vulnerabilities they may have.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement. If available, the bidder should provide samples of such a fingerprint as part of their submission.

0= No product documentation provided or the solution does not support this requirement1= Product documentation provided gives evidence of the ability to perform agentless network scanning only3= Product documentation provided gives evidence of ability to perform agentless network scanning, fingerprinting of assets, and provision of vulnerability information5= Product documentation provided gives evidence of the full capability, and sample scans or fingerprint results provided in substantiation of the capability

(f) The proposed solution should provide network asset discovery across the entire IP network. After

Substantiate by cross-referencing the proposed solution functional specification documentation to




assets have been discovered, the tool must allow for specific assets to be selected for vulnerability assessment scans.

clearly depict compliance with this requirement.

0= No cross-references to product documentation provided or the solution does not support this requirement3= Product documentation gives evidence of IP based network auto-discovery capabilities only5= Product documentation shows network auto discovery capabilities and the ability to include discovered IP based assets in assessments scans

(g) The solution must support the ability to manage multiple scanners that are geographically displaced if required by the dti.


0= No product documentation provided or the solution does not support this requirement3= Product documentation shows that agent based and agentless scanners can be deployed across the wide area network only4= Product documentation shows that agent based and agentless scanners can be both deployed and managed




across the wide area network5= Product documentation shows that agent based and agentless scanners can be both deployed and managed across the wide area network, and that wide area network bandwidth limitations or constraints have been specified for agent based scanners

(h) The proposed solution must provide complete visibility of and reporting on identified vulnerabilities through a single management console across a Wide Area Network (WAN).

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement. Bidders must ensure that their proposed solution architecture (7.2.3.a) clearly depicts WAN components in the design.

0=No product documentation provided or the solution does not support this functionality1=Product documentation provided only showing support of a centralised management console3=Product documentation provided together with a solution architecture diagram depicting the management console in the dti’s network (local and wide area)




5= Product documentation provided together with a solution architecture diagram depicting the management console in the dti’s network (local and wide area), and documentation contains details of how vulnerability reporting is provided for local and remote/wide-area assets

(i) The proposed solution must be able to perform authenticated and unauthenticated checks against identified assets.


0= No product documentation provided or solution does not support this functionality3= Product documentation provided gives evidence of support for either authenticated or unauthenticated checks5= Product documentation provided gives evidence of support for both authenticated and unauthenticated checks

(j) The applicable product must automatically update the vulnerability assessment library (library of tests that can be performed) every 24 hours.





0= No product documentation provided or product does not support this functionality3= Product documentation provided gives evidence of support for automated vulnerability library updates (period unspecified or un-configurable)5= Product documentation provided gives evidence of support for automated vulnerability library updates (period of 24 hours specified or configurable)

(k) The solution must provide reports on any new vulnerabilities added to the vulnerability assessment library (refer 7.2.3.j above) and when they were first utilised in asset vulnerability scans.


0= No product documentation provided or product does not support this functionality3= Product documentation provided gives evidence of a report listing new vulnerabilities added since the last report5= Product documentation provided gives evidence of a report listing new vulnerabilities added since the last report and when these were last used in scans




(l) The product must support risk-based scoring metrics per asset being scanned.


0= No product documentation provided or risk-based scoring per asset not supported5= Product documentation provided gives evidence of support for risk-based scoring per assets

(m) The product must support asset management based on attributes of IPv4 addresses as well as IPv6 addresses as follows:

Displaying of IPv4/6 address; Sorting of assets based on IPv4/6 address; Addition of IPv4/6 address as part of

properties; Searching using IPv4/6 address.


0= No product documentation provided or product does not support this functionality1= Product documentation provided gives evidence of support for both IPv4 support only3= Product documentation provided gives evidence of support for either IPv4 or IPv6 with the ability to search, sort and add properties per asset5= Product documentation provided gives evidence of




support for both IPv4 and IPv6 with the ability to search, sort and add properties per asset

(n) The product must allow Scan Administrators to save selected checks as vulnerability scan sets and re-use the same set in other scan configurations and reports.


0= No product documentation provided or product does not support this functionality3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and documentation gives evidence of this

(o) The solution must provide for predefined vulnerability sets based on popular compliance standards.


0= No product documentation provided or proposed product does not support this functionality3= Functional requirement can be achieved through




configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and documentation gives evidence of this

(p) The proposed solution supports secure non-reversible encryption storage of credentials for systems, for use in authenticated scans.



(q) The product uses a customisable system to track individual assets through IP changes and office moves. Assets must be able to be tracked with a combination of the following tracking methods:

Substantiate support of this requirement by detailing the method used within the solution to enable this functional requirement, as well as the tracking methods supported. In addition, details as to the customisability




IP Address; Host name; DNS name; MAC address

of the functionality should be provided.

0= No product documentation provided or product does not support this functionality1= As per substantiating evidence asset attributes include no more than two of the tracking methods required3= Substantiating evidence shows asset attribute types support all four of the methods listed, and that changes in any of the four attribute types are tracked and viewable in the asset’s history5= Substantiating evidence shows asset attribute types support all four of the methods listed, that changes in any of the four attribute types are tracked and viewable in the asset’s history, and that additional customised attributes can be included per asset

(r) The solution must provide pre-built scan templates that cover common vulnerability checks as prescribed by OWASP, PCIDSS, and CVE.


0= No product documentation provided or product




does not support this functionality1= Product documentation supports the ability to build pre-configured scans based on common vulnerabilities3= Product documentation supports the ability to build pre-configured scans based on common vulnerabilities and that these support at least one of the listed industry standards5= Product documentation supports the ability to build pre-configured scans based on common vulnerabilities and that these support all of the listed industry standards

(s) The proposed product solution must support the following standards:

Open Vulnerability and Assessment Language (OVAL),

Common Vulnerability Scoring System (CVSS), Common Vulnerabilities and Exposures (CVE), Common Platform Enumeration (CPE); Common Configuration Enumeration (CCE).


0= No product documentation provided or none of the listed standards supported1= Product documentation supports for at least two of the standards listed3= Product documentation supports for at least three of the standards listed




5= Product documentation supports for all of the standards listed

(t) The solution must allow for the creation of parallel scans with each scan having its own unique schedule and settings to map correctly to the dti’s vulnerability assessment requirements.

Substantiate support of this requirement by detailing the method used within the solution to enable this functional requirement.


(u) The proposed product must facilitate automatic asset discovery using different discovery techniques (e.g. switch ARP Tables, IP scan, ICMP ping).

Substantiate support of this requirement by detailing the method used for automatic asset discovery, as well as the techniques supported.

0= No product documentation provided or product does not support this functionality3= Functional requirement can be achieved through




configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and documentation gives evidence of this

(v) The proposed solution must be able to fingerprint different operating systems (e.g. Microsoft Windows, Linux)

Substantiate support of this requirement by providing product specifications that list the operating systems and version numbers that can be fingerprinted by the proposed solution.


(w) The proposed solution must support the identification of applications installed on assets and scan the applications for vulnerabilities. The types

Substantiate support of this requirement by providing product specifications that list the applications installed on assets that can be scanned by the proposed




of applications can include Java and related products, Adobe and related products, SAP, JBoss and related products, Apache and related products, Checkpoint Solutions, Linux / Open source solution (i.e. IPTables, bind) and Microsoft products.

solution.

0= No product documentation provided or product does not support this functionality1= The product documentation provided shows evidence of support for identification of applications installed on assets only3= The product documentation provided shows evidence of support for application identification but not for all the application types listed5= The product documentation provided shows evidence of support for application identification for all the application types listed

(x) The proposed solution must support the identification of hardware assets and be able to scan these for vulnerabilities. Types of assets can include: network switches, SAN controllers, firewalls, IDS/IPS devices, and printers.

Substantiate support of this requirement by providing product specifications that list the assets/devices that the proposed solution is able to scan.

0= No product documentation provided or product does not support this functionality1= The product documentation provided shows evidence of support for identification of hardware




assets only3= The product documentation provided shows evidence of support for hardware asset identification and vulnerability scanning but supported assets are not listed5= The product documentation provided shows evidence of support for hardware asset identification and vulnerability scanning, and the supported assets listed include those as per the requirement

(y) The Vulnerability Management product solution must provide detailed scan progress information within the management console.

In substantiation of this requirement the product technical specification(s) or component specification provided must provide evidence of how this is supported.

0= No product documentation provided or product does not support this functionality3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and documentation gives evidence of




this(z) The proposed solution must support the writing of

custom scripts & scans to manage proprietary and legacy systems.

Substantiate by providing details on the method and supported scripting and scanning toolsets/API’s proposed to support this requirement.

0= No product documentation provided or product does not support this functionality3= Functional requirement and support of legacy system integration can be achieved through customisation of the product based on the substantiating evidence provided5= Functional requirement and support of legacy system integration is provided out of the box through the product scripting, toolsets and API’s, and documentation provided gives evidence of this

(aa) The ability to perform targeted scans (i.e. checks for a specific set of vulnerabilities) must be supported by the solution.

Substantiate support of this requirement by detailing the method used to perform targeted/selective vulnerability scans.

0= No method documentation provided or product does not support this functionality




3= Method detailed supports the ability to select specific vulnerabilities from a presented list of vulnerabilities and apply this in a scan only to all assets5= Method detailed supports the ability to select specific vulnerabilities from a presented list of vulnerabilities and apply this in a scan to selected assets

(bb) The proposed product solution must provide for OS and service-level scanning for web servers with vulnerability scripts designed to detect vulnerabilities in web server applications (such as Microsoft Internet Information Server, Apache HTTP Daemon, Apache Tomcat, JBoss)

Substantiate support of this requirement by detailing the method used within the solution to enable this functional requirement, as well as list the web server applications/environments supported.

0= No method provided or product does not support this functionality2= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating method provided, but no supported web server applications listed4= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating method provided, and




supported web server applications listed5= Functional requirement is provided out of the box with the product, and documentation provided gives evidence of this. Supported web server applications also provided

(cc) The product solution must provide the functionality to specify the type of credentials to be used during scanning, either by IP address, DNS name, NETBIOS name, or with a default set of credentials.

Provide evidence of support of this requirement by confirming that the functionality is supported by the proposed product, provide the product functional specification wherein this is confirmed, and list the methods that are supported based on the list provided.

0= No supporting evidence provided or product does not support this functionality3= Product documentation in support of functionality provided only5= Product documentation in support of functionality provided, and supported methods listed

(dd) The product solution must be able to discover IPv6 targets using ‘neighbour discovery’ and ‘ICMPv6’.






(ee) The product solution must support the following methods for acquiring IPV6 targets:

DNS name IP Address (Individual IP, Range, CIDR format) NETBIOS name Import of IPv6 targets through text file

Substantiate by cross-referencing the proposed solution technical specification documentation to clearly depict which methods are supported.

0= No product documentation provided or product does not support this functionality3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, methods listed are supported, and documentation provided gives evidence of this

(ff) The product solution must support the following Substantiate by cross-referencing the proposed




IPv6 formats:

Long format ( 2000:0000:fce8:abcd:0000:0000:0000:0084)

Short format (::1, 2000::41) Mapped Format

(2000:0000:fce8:abcd:0000:0000.0.0.0.132) Literal Format (2000--41.ipv6-literal.net)

solution technical specification documentation to clearly depict which formats are supported.

0= No product documentation provided or product does not support this functionality3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, formats listed are supported, and documentation provided gives evidence of this

(gg) The proposed solution must provide role-based access that segregates global configuration from daily scan activities.


0= No product documentation provided or product does not support this functionality3= Segregation of duties (global configuration from daily scan activities) is achieved through rights assignments per user only5= Segregation of duties (global configuration from




daily scan activities) is achieved through assignment of a user to a role based access group

(hh) The product solution must cater for administrative groups and privileged access that allows segregation of users by asset groups or scan activities

Provide evidence of support of this requirement by confirming that the functionality is supported by the proposed product, provide the product functional specification wherein this is confirmed, and detail the process used to enable this.

0= No supporting evidence provided or product does not support this functionality3= Rights assignments by administrative group allows for either segregation by asset group or scan activities5= Rights assignments by administrative group allows for segregation by asset group and scan activities

(ii) The proposed solution must provide an unalterable audit trail of user access & activities performed within the tool.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement, and provide details of how the integrity of the audit trail is assured.

0= No supporting evidence provided or product does




not support this functionality3= As per evidence provided user access and activity audit trails are provided and can only be altered by system administrators5= As per evidence provided user access and activity audit trails are provided and cannot be altered by any system user including administrators

(jj) The management console must be web based and support the following browsers:

Internet Explorer 8 or later, Firefox 3.6 or later Google Chrome

Substantiate by cross-referencing the proposed solution technical specification documentation, and clearly depict which browsers are supported.

0= No supporting evidence provided3= All listed browsers are supported but versions not specified or not all versions supported5= All listed browsers and versions are supported

(kk) The management console tool provided must provide vulnerability and threat / risk dashboards with drill down capabilities.


0= No product documentation provided or product does not support this functionality




3= As per product documentation provided the management console supports the display of vulnerability and threat/risk dashboards only5= As per product documentation provided the management console supports the display of vulnerability and threat/risk dashboards with drill-down capabilities

(ll) The dashboards provided in the management console must include score-trending to track the organisation’s vulnerability mitigation progress over time as an executive management tracking tool.


0= No product documentation provided or product does not support this functionality3= As per product documentation provided the management console supports an organisational vulnerability score profile at a point in time only5= As per product documentation provided the management console supports organisational vulnerability profile trending relative to historical tracking

(mm) The executive management tracking functionality Substantiate by cross-referencing the proposed




must include dashboards that allow for summary measurements of the organisation’s overall security health, as well as short and long-term trend analysis with regards to vulnerability detection and mitigation.

solution functional specification documentation to clearly depict compliance with this requirement, and providing snap-shots of sample dashboard depicting this information.

0= No product documentation provided or product does not support this functionality3= As per product documentation and samples provided the dashboards support an organisational security health score relative to a predefined set of vulnerability factors5= As per product documentation and samples provided the dashboards support an organisational security health score relative to a predefined set of vulnerability factors, as well as trend tracking relative to vulnerability detection and remediation performed in the past n periods

(nn) The management console must provide flexible reports that categorise data by asset, network, risk / threat, or vulnerability

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement, and providing sample reports depicting this information.




0= No product documentation provided or product does not support flexible reporting3= Flexible reporting supported for at least two of four categorisation factors listed5= Flexible reporting supported for all four of the categorisation factors listed

(oo) The management console must provide detailed reports that rank vulnerabilities by risk type and asset.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement, and providing sample reports depicting this information.

0= No product documentation or sample reports provided, or product does not support this requirement3= Detailed reports support either ranking by asset OR by risk type5= Detailed reports support ranking by asset and risk type

(pp) The proposed product solution must be able to provide an asset-centric report, i.e. according to how business units are organised, rather than scan-

Substantiate by providing details of how such reports can be produced, and also provide sample reports depicting this information.




centric or network-centric reports0= No details on how reports are produced or sample reports provided, or product does not support this requirement3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence and samples provided5= Functional requirement is provided out of the box with the product, and documentation/samples provided give evidence of this

(qq) The management console reporting tool must support the use of filters to select and organise results in reports, including the use of IPv6 as a filter.


0= No product documentation provided or product does not support this requirement3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box




with the product, IPv6 is supported, and documentation provided gives evidence of this

(rr) The reports provided must allow for reporting options that categorise data by platform, business unit, geography, or IP range to deliver insight into policy violations, vulnerabilities, remediation actions, and changing risk profiles.

Substantiate by providing details of how such reports can be produced, and also provide sample reports depicting this information.

0= No details on how reports are produced or sample reports provided, or product does not support this requirement3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence and samples provided5= Functional requirement is provided out of the box with the product, formats listed are supported, and documentation/samples provided gives evidence of this

(ss) The management console reporting tool must facilitate report generation for scans even while a scan is still running.


0= No product documentation provided or product




does not support this requirement3= Proposed product solution only supports reporting on completed scans5= Proposed product solution supports reporting on scans while running

(tt) The vulnerabilities identified in the reports generated by the proposed tool must provide links to detailed descriptions of identified vulnerabilities; i.e. each vulnerability must be correlated with standard references such as CVE or SANS.

Substantiate by detailing how this functionality is provided within the tool, and how links to vulnerability types are maintained.

0= No details provided on how this functionality is maintained in the tool, or the product does not support this requirement3= Based on evidence provided the functional requirement can only be achieved through manual configuration and/or customisation of the product to link vulnerability descriptions from authoritative sources5= Based on evidence provided the functional requirement can be achieved out-of-the-box through product provided links to authoritative sources which are automatically updated as/when they are changed




by the standards authority(uu) The detailed vulnerability descriptions linked to the

reports must include recommended steps for remediation and – where applicable - all recommendations must be sourced from the scanned asset manufacturer’s online knowledgebase with a link provided to the appropriate article.

Substantiate by detailing how this functionality is provided within the tool, and how links to knowledgebase(s) are maintained.

0= No details provided on how this functionality is maintained in the tool, or the product does not support this requirement3= Functional requirement can only be achieved through manual configuration and/or customisation of the product to link vulnerability remediation steps from authoritative sources5= Functional requirement can be achieved out-of-the-box through product-provided links to authoritative sources for remediation steps which are automatically updated as/when they are changed at the source

(vv) The recommended remediation steps local source database must support modification to enable customised remediation actions or recommendations.

Substantiate by detailing how this functionality is provided within the tool, and how customised remediation steps are maintained.0= No details provided on how this functionality is maintained in the tool, or the product does not support




this requirement1= Remediation steps exist based on the product based knowledge base but cannot be added to or customised according to the organisation’s needs5= Remediation steps exist based on the product based knowledge base and can be added to or customised according to the organisation’s needs

(ww) The reporting component within the proposed product solution must support custom reports that are easily configurable using a “wizard-style” setup.


0= No details provided on how this functionality is maintained in the tool, or the product does not support this requirement3= As evident in the product documentation, default reports exist within the product but can only be added to or customised by specific intervention by the product supplier or vendor5= Report customisation is possible from within the management console using a “wizard style” report tool/setup as is supported by the product




documentation provided(xx) Generated reports must be able to be scheduled to

occur at the convenience of the administrator and mailed to specific end users.


0= No details provided on how this functionality is supported in the tool, or the product does not support this requirement1= As evident in the product documentation, reports can only be run manually by an operator or user utilising the management console5= Automatic scheduled report generation and e-mailing is possible from within the management console as is supported by the product documentation provided

(yy) It must be possible to include vulnerability assessment data from multiple scans over a specific timeframe in generated reports.

Substantiate by cross-referencing the proposed solution functional specification documentation to clearly depict compliance with this requirement, and detail how the selection of these criteria is achieved.

0= No details provided on how this functionality is




maintained in the tool, or the product does not support this requirement3= As evident in the product documentation, default reports exist within the product but flexibility in terms of duration or reporting span customisation can only be achieved by specific intervention from the product supplier or vendor5= Setting of report timescale and span of data is possible by specifying this within the management console, and this is supported by the product documentation provided

(zz) The proposed product solution must allow for the modification of vulnerability scoring metrics so as to align vulnerability threat level reporting to specific business targets and objectives.

In substantiation of this requirement the product technical, functional or component specification(s) provided must provide evidence of how this is supported.

0= No details provided on how this functionality is maintained in the tool, or the product does not support this requirement3= Functional requirement can be achieved through configuration and/or customisation of the product




based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and this is supported by the product documentation provided

(aaa) The proposed solution must provide built-in capabilities that support the assigning of selected vulnerabilities to specific employees, as well the ability to track remediation activities performed by the assignee based on specific scanned asset information.

In substantiation of this requirement the product technical, functional or component specification(s) provided must provide evidence of how this is supported.

0= No product documentation provided on how this functionality is supported in the tool, or the product does not support this requirement3= Functional requirement can be achieved through configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and this is supported by the product documentation provided

(bbb) The product solution must facilitate secure access to the vulnerability and scan results database to allow for data mining of the detailed results by an

In substantiation of this requirement the product technical, functional or component specification(s) provided must provide evidence of how this is




external tool. supported.


(ccc) The tool is able to provide an “attack potential rating” based on Evaluation Assurance Level (EAL).

Substantiate by providing a cross reference to an attached product specification that clearly depicts compliance with this requirement. The tool itself is not meant to be judged using EAL, but rather to provide an estimate EAL rating based on the scan results per asset.

0= No product documentation provided on how this functionality is supported in the tool, or the product does not support this requirement3= Functional requirement can be achieved through




configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and this is supported by the product documentation provided

(4) PRODUCT PERFORMANCE REQUIREMENTS

(a) A typical scan should have minimal impact on the network, generally not exceeding 150 Kbps of traffic on the network per scan.

Substantiate support of this requirement by detailing the parameters associated with a standard network vulnerability scan, and confirm the total bandwidth requirement of such a scan.

0= No confirmation provided that the product meets these requirements or the product does not support this requirement3= The respondent has provided written confirmation that their proposed product solution supports this requirement, but no product documentation was provided in substantiation of this claim5= Confirmation in the form of product documentation provided that the proposed product solution supports this requirement




(b) The product must allow for the tuning of scan performance to tailor the amount of bandwidth consumed on the target network



(c) Priority scanning must be catered for by allowing important scans to run at full speed while throttling other scans to run at ½ or ¼ speeds.


0= No product documentation provided on how this functionality is supported in the tool, or the product does not support this requirement3= Functional requirement can be achieved through




configuration and/or customisation of the product based on the substantiating evidence provided5= Functional requirement is provided out of the box with the product, and this is supported by the product documentation provided

(d) The capability must exist to allow for scan exclusions to be specified, thereby preventing critical systems from being scanned.



8. PROOF OF CONCEPTNOT APPLICABLE FOR THIS BID


ANNEX A.3: SPECIAL CONDITIONS OF CONTRACT (SCC)

9. SPECIAL CONDITIONS OF CONTRACT

9.1. INSTRUCTION

(1) The successful supplier will be bound by Government Procurement: General Conditions of Contract (GCC) as well as this Special Conditions of Contract (SCC), which will form part of the signed contract with the successful Supplier. However, SITA reserves the right to include or waive the condition in the signed contract.

(2) SITA reserves the right to –

(a) Negotiate the conditions, or

(b) Automatically disqualify a bidder for not accepting these conditions.

(3) In the event that the bidder qualifies the proposal with own conditions, and does not specifically withdraw such own conditions when called upon to do so, SITA will invoke the rights reserved in accordance with subsection 9.1(2) above.

(4) The bidder must complete the declaration of acceptance as per section 9.3 below by marking with an “X” either “ACCEPT ALL” or “DO NOT ACCEPT ALL”, failing which the declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.

9.2. SPECIAL CONDITIONS OF CONTRACT

(1) CONTRACTING CONDITIONS

(a) Formal Contract. The Supplier must enter into a formal written Contract (Agreement) with the dti.

(b) Right of Award. SITA reserves the right to award the contract for required goods or services to multiple Suppliers.

(c) Right to Audit. SITA reserves the right, before entering into a contract, to conduct or commission an external service provider to conduct a financial audit or probity to ascertain whether a qualifying bidder has the financial wherewithal or technical capability to provide the goods and services as required by this tender.

(d) Sub-Contracting. Due to the anticipated value of this bid, it is expected that no external organisations will be sub-contracted by the primary bidder to deliver the scope of work, and that individuals that deliver the scope on behalf of the successful bidder will either be permanent employees of the bidder (as defined in the Labour Relations Act) or individuals that are fixed duration direct contractors.

(2) DELIVERY ADDRESS. The supplier must deliver the required products or services at

(a) The physical locations as specified in section 11.1.

(3) SCOPE OF WORK AND DELIVERY SCHEDULE

(a) The Supplier is responsible to perform the work as outlined in the following Work Breakdown Structure (WBS):


WBS Statement of Work Delivery Timeframe1. Design, install and implement the Vulnerability

Management Solution (from date of appointment of the Supplier)

3 consecutive calendar months or13 consecutive calendar weeks or

93 consecutive calendar days2. On-site maintenance and support of the solution 36 consecutive calendar months

(b) Commencement of work is counted from the date of the appointment of the Supplier

(c) Commencement of the period of Maintenance and Support is from the date of the sign-off of the implementation phase of the project or the 3 consecutive months has elapsed, whichever comes first.

(4) SERVICES AND PERFORMANCE METRICS

(a) The Supplier is responsible to provide the following services as specified in the Service Breakdown Structure (SBS):

SBS Service Element Service Grade Service Level1. Call Centre Helpdesk Normal 08h00 to 16h30 Monday to Friday

2. Incident Response Normal Maximum 4 hours

3. Incident Restore Normal Maximum 24 hours

(b) The Supplier is required to adhere to the following service specific preventative maintenance conditions:

SBS Service Element Service Grade Service Level4. Vulnerability Management

system patchingN/A In accordance with product

manufacturer’s recommendation5. Upgrade of Solution to latest

version as releasedNormal Within 14 days of version release.

(c) The supplier is required to adhere to the following specific quality of service conditions:

SBS Service Element Service Grade Service Level6. Network Bandwidth

UtilisationPer segment Maximum 150kb/s

(5) SCOPE OF TECHNICAL SOLUTION DEVELOPMENT

(a) The bidder shall be able to support the centralised solution required by the dti, as well as the necessary decentralised agent based and agentless collectors deployed across the dti’s wide area network.

(6) SUPPLIER PERFORMANCE REPORTING

(a) The Supplier will report on a weekly basis to the dti Project Manager during the design, installation and implementation phase of the project; weekly written reports are to be presented to the Project Manager on the progress of the preceding week.


(b) The Supplier will report on a monthly basis to the project’s stakeholders during the design, installation and implementation phase of the project.

(c) The Supplier is required to generate regular reports as outputs during the maintenance and support cycle within the following service levels (the report type will drive the service level agreement; definition of the content of each report type will be finalised at the time of concluding the contracted service level agreement):

(i) Daily reporting (e.g. total vulnerabilities identified, total correlated vulnerabilities, total incidents raised by severity) - report provided by 9am on the day after the date under report

(ii) Weekly reporting (e.g. summary of week's daily reports ranked by department, asset, risk, etc.) - report provided by 9am on the Monday morning after the week under report

(iii) Monthly executive dashboard reporting (e.g. the dti vulnerability trend reporting, organisational vulnerability health, etc.) - provided by the 5th calendar day of each month after the month under report

(7) CERTIFICATION, EXPERTISE AND QUALIFICATION

(a) The Supplier represents that,

(i) it has the necessary expertise, skill, qualifications and ability to undertake the work required in terms of the Statement of Work or Service Definition and;

(ii) it is committed to provide the Products or Services; and

(iii) perform all obligations detailed herein without any interruption to the Customer.

(b) The Supplier must provide the service in a good and workmanlike manner and in accordance with the practices and high professional standards used in well-managed operations performing services similar to the Services;

(c) The Supplier must perform the Services in the most cost-effective manner consistent with the level of quality and performance as defined in Statement of Work or Service Definition;

(d) The bidder's certifies that its key staff assigned to design, implement, maintain and support the solution in terms of this bid are certified by the proposed product manufacturer to do so, and have a minimum of 3 years’ experience in implementing Vulnerability Management solutions. To this end, SITA and/or the dti reserve the right to request of the bidder a full list of all assigned resources servicing the department in the design, implementation, maintenance and support, listing:

(i) Each person's qualifications (copies of qualification may be requested if the department deems this necessary)

(ii) Their number of years' experience in the ICT Security Industry

(iii) Their number of years' experience in implementing, maintaining or supporting the Supplier’s Vulnerability Management solution

(iv) An indication of whether they are permanent or contracted employees


(8) LOGISTICAL CONDITIONS

(a) Hours of work. The supplier must ensure that staff involved in the design and implementation of the solution are available on site between 09h00 and 15h00 Monday to Fridays. Maintenance and support resources are required on site between 08h00 and 16h30 Monday to Friday.

(b) In the event that the dti grants the Supplier permission to access the dti's environment including hardware, software, internet facilities, data, telecommunication facilities and/or network facilities remotely, the Supplier must adhere to the dti's relevant policies and procedures (which policy and procedures are available to the Supplier on request) or, in the absence of such policy and procedures, in terms of best industry practice.

(c) Tools of Trade. All computers and workstations required by staff to perform their duties for the term of this agreement, together with licensed software must be provided by the Supplier.

(d) On-site and Remote Support. The Supplier must provide all support services on site. Escalations to 3rd level support may be made by on-site resources but accountability remains with the on-site resources.

(e) Support and Help Desk. The Supplier must provide Helpdesk services through a telephonic or electronic mechanism to allow the dti to log requests for support of the solution. Maintenance and support efforts shall be coordinated with the dti and must utilise the dti’s change management/control procedures.

(9) SKILLS TRANSFER AND TRAINING

(a) The Supplier must provide certified training on the proposed solution or product to management and technical staff to enable the dti to operate and support the product or solution.

(b) The nature of the training must be formal, and facilitated, hands-on training.

(10) REGULATORY, QUALITY AND STANDARDS

(a) Regulatory, quality or standard requirements were stipulated within the mandatory or non-mandatory sections of this bid.

(11) PERSONNEL SECURITY CLEARANCE

(a) The Supplier personnel who are required to work with GOVERNMENT CLASSIFIED information or access government RESTRICTED areas must be a South African Citizen and at the expense of the Supplier may be security vetted (pre-employment screening, criminal record screening and credit screening).

(b) The Supplier must ensure that the security clearances of all personnel involved in the Contract remains valid for the period of the contract.

(12) CONFIDENTIALITY AND NON-DISCLOSURE CONDITIONS

(a) The Supplier, including its management and staff, must before commencement of the Contract, sign a non-disclosure agreement regarding Confidential Information.


(b) Confidential Information means any information or data, irrespective of the form or medium in which it may be stored, which is not in the public domain and which becomes available or accessible to a Party as a consequence of this Contract, including information or data which is prohibited from disclosure by virtue of:

(i) the Promotion of Access to Information Act, 2000 (Act no. 2 of 2000);

(ii) being clearly marked "Confidential" and which is provided by one Party to another Party in terms of this Contract;

(iii) being information or data, which one Party provides to another Party or to which a Party has access because of Services provided in terms of this Contract and in which a Party would have a reasonable expectation of confidentiality;

(iv) being information provided by one Party to another Party in the course of contractual or other negotiations, which could reasonably be expected to prejudice the right of the non-disclosing Party;

(v) being information, the disclosure of which could reasonably be expected to endanger a life or physical security of a person;

(vi) being technical, scientific, commercial, financial and market-related information, know-how and trade secrets of a Party;

(vii) being financial, commercial, scientific or technical information, other than trade secrets, of a Party, the disclosure of which would be likely to cause harm to the commercial or financial interests of a non-disclosing Party; and

(viii) being information supplied by a Party in confidence, the disclosure of which could reasonably be expected either to put the Party at a disadvantage in contractual or other negotiations or to prejudice the Party in commercial competition; or

(ix) information the disclosure of which would be likely to prejudice or impair the safety and security of a building, structure or system, including, but not limited to, a computer or communication system; a means of transport; or any other property; or a person; methods, systems, plans or procedures for the protection of an individual in accordance with a witness protection scheme; the safety of the public or any part of the public; or the security of property; information the disclosure of which could reasonably be expected to cause prejudice to the defence of the Republic; security of the Republic; or international relations of the Republic; or plans, designs, drawings, functional and technical requirements and specifications of a Party, but must not include information which has been made automatically available, in terms of the Promotion of Access to Information Act, 2000; and information which a Party has a statutory or common law duty to disclose or in respect of which there is no reasonable expectation of privacy or confidentiality;

(c) Notwithstanding the provisions of this Contract, no Party is entitled to disclose Confidential Information, except where required to do so in terms of a law, without the prior written consent of any other Party having an interest in the disclosure;


(d) Where a Party discloses Confidential Information which materially damages or could materially damage another Party, the disclosing Party must submit all facts related to the disclosure in writing to the other Party, who must submit information related to such actual or potential material damage to be resolved as a dispute;

(e) Parties may not, except to the extent that a Party is legally required to make a public statement, make any public statement or issue a press release which could affect another Party, without first submitting a written copy of the proposed public statement or press release to the other Party and obtaining the other Party's prior written approval for such public statement or press release, which consent must not unreasonably be withheld.

(13) GUARANTEE AND WARRANTIES.

The Supplier warrants that:

(a) The warranty of goods supplied under this contract remains valid for thirty-six (36) months after the goods, or any portion thereof as the case may be, have been delivered to and accepted at the final destination indicated in the contract;

(b) as at Commencement Date, it has the rights, title and interest in and to the Product or Services to deliver such Product or Services in terms of the Contract and that such rights are free from any encumbrances whatsoever;

(c) the Product is in good working order, free from Defects in material and workmanship, and substantially conforms to the Specifications, for the duration of the Warranty period;

(d) during the Warranty period any defective item or part component of the Product be repaired or replaced within 3 (three) days after receiving a written notice from the dti;

(e) the Products are maintained during its Warranty Period at no expense to the dti;

(f) the Products possess all material functions and features required for the dti’s Operational Requirements;

(g) the Product remains installed as per specification and requirement, and/or the Service is continued during the term of the Contract;

(h) all third-party warranties that the Supplier receives in connection with the Products including the corresponding software and the benefits of all such warranties are ceded to SITA without reducing or limiting the Supplier’s obligations under the Contract;

(i) no actions, suits, or proceedings, pending or threatened against it or any of its third party suppliers or sub-contractors that have a material adverse effect on the Supplier’s ability to fulfil its obligations under the Contract exist;

(j) SITA is notified immediately if it becomes aware of any action, suit, or proceeding, pending or threatened to have a material adverse effect on the Supplier’s ability to fulfil the obligations under the Contract;

(k) any Product sold to the dti after the Commencement Date of the Contract remains free from any lien, pledge, encumbrance or security interest;

(l) The dti’s use of the Product and Manuals supplied in connection with the Contract does not infringe any Intellectual Property Rights of any third party;


(m) the information disclosed to the dti does not contain any trade secrets of any third party, unless disclosure is permitted by such third party;

(n) it is financially capable of fulfilling all requirements of the Contract and that the Supplier is a validly organized entity that has the authority to enter into the Contract;

(o) it is not prohibited by any loan, contract, financing arrangement, trade covenant, or similar restriction from entering into the Contract;

(p) the prices, charges and fees to the dti as contained in the Contract are at least as favourable as those offered by the Supplier to any of its other customers that are of the same or similar standing and situation as the dti; and

(q) any misrepresentation by the Supplier amounts to a breach of Contract.

(14) INTELLECTUAL PROPERTY RIGHTS

(a) The dti retains all Intellectual Property Rights in and to SITA's Intellectual Property. As of the Effective Date, the Supplier is granted a non-exclusive license, for the continued duration of this Contract, to perform any lawful act including the right to use, copy, maintain, modify, enhance and create derivative works of the dti’s Intellectual Property for the sole purpose of providing the Products or Services to the dti pursuant to this Contract; provided that the Supplier must not be permitted to use the dti’s Intellectual Property for the benefit of any entities other than the dti without the written consent of the dti, which consent may be withheld in the dti’s sole and absolute discretion. Except as otherwise requested or approved by the dti, which approval is in the dti’s sole and absolute discretion, the Supplier must cease all use of the dti’s Intellectual Property, at of the earliest of:

(i) termination or expiration date of this Contract;

(ii) the date of completion of the Services; and

(iii) the date of rendering of the last of the Deliverables.

(b) If so required by the dti, the Supplier must certify in writing to the dti that it has either returned all the dti’s Intellectual Property to the dti or destroyed or deleted all other of the dti’s Intellectual Property in its possession or under its control.

(c) The dti, at all times, owns all Intellectual Property Rights in and to all Bespoke Intellectual Property.

(d) Save for the license granted in terms of this Contract, the Supplier retains all Intellectual Property Rights in and to the Supplier’s pre-existing Intellectual Property that is used or supplied in connection with the Products or Services.

(15) TARGETED PROCUREMENT/TRANSFORMATION

There are no specific procurement/transformation targets.

9.3. DECLARATION OF ACCEPTANCE

ACCEPT ALL DO NOT ACCEPT ALL

(1) The bidder declares to ACCEPT ALL the Special Condition of Contract as specified in section 9.2 above by indicating with



an “X” in the “ACCEPT ALL” column, OR

(2) The bidder declares to NOT ACCEPT ALL the Special Conditions of Contract as specified in section 9.2 above by -

(a) Indicating with an “X” in the “DO NOT ACCEPT ALL” column, and;

(b) Provide reason and proposal for each of the conditions that is not accepted.

Comments by bidder:Provide reason and proposal for each of the conditions not accepted as per the format:Condition Reference:Reason:Proposal:


ANNEX A.4: COSTING AND PRICING

QUALIFICATION NOTICE

To safeguard the integrity of the bidding process, the technical and financial proposals should be submitted in separate sealed envelopes, as per “National

Treasury: Supply Chain Management a guide for Accounting Officers / Authorities, 2004”, section 5.9.4; therefore

All bid Pricing Schedules, as indicated in section 10 COSTING AND PRICING, must be

submitted in a SEPARATE SEALED ENVELOPE, failing which the bid WILL BE DISQUALIFIED.


10. COSTING AND PRICING

10.1.COSTING AND PRICING EVALUATION

(1) ALL PRICING SCHEDULES MUST BE SUBMITTED IN A SEPARATE SEALED ENVELOPE, failing which the BID will be DISQUALIFIED.

(2) In terms of Preferential Procurement Policy Framework Act (PPPFA), the following preference point system is applicable to all Bids:

(a) the 80/20 system (80% Price, 20% B-BBEE) for requirements with a Rand value below R1million where all applicable taxes are included; or

(b) the 90/10 system (90% Price and 10% B-BBEE) for requirements with a Rand value above R1million where all applicable taxes are included.

(3) Based on the budget guideline this bid will be evaluated using the PPPFA preferential points scoring system of 90/10.

(4) The bidder must complete the declaration of acceptance as per section 10.3 below by marking with an “X” either “ACCEPT ALL”, or “DO NOT ACCEPT ALL”, failing which the declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.

(5) Bidder will be bound by the following general costing and pricing conditions and SITA reserves the right to negotiate the conditions or automatically disqualify the bidder for not accepting these conditions. These conditions will form part of the Contract between SITA and the bidder. However, SITA reserves the right to include or waive the condition in the Contract.

10.2.COSTING AND PRICING CONDITIONS

(1) The bidder must submit the Pricing Schedule(s) as prescribed in section 10.4 as well as the relevant enclosed Standard Bidding Document SBD 3.1, 3.2 or 3.3.

(2) SOUTH AFRICAN PRICING. The total price must be VAT inclusive and be quoted in South African Rand (ZAR).

(3) TOTAL PRICE

(a) All quoted prices are the total price for the entire scope of required services and deliverables to be provided by the bidder.

(b) The cost of delivery, labour, S&T, overtime, etc. must be included in this bid.

(c) All additional costs must be clearly specified.

(4) BID EXCHANGE RATE CONDITIONS. The bidders must use the exchange rate provided below to enable SITA to compare the prices provided by using the same exchange rate:

Foreign currency South African Rand (ZAR) exchange rate1 US Dollar1 Euro1 Pound


10.3.DECLARATION OF ACCEPTANCE


(1) The bidder declares to ACCEPT ALL the Costing and Pricing conditions as specified in section 10.2 above by indicating with an “X” in the “ACCEPT ALL” column, or

(2) The bidder declares to NOT ACCEPT ALL the Costing and Pricing Conditions as specified in section 10.2 above by -

(a) Indicating with an “X” in the “DO NOT ACCEPT ALL” column, and;

(b) Provide reason and proposal for each of the condition not accepted.

Comments by bidder:Provide the condition reference, the reasons for not accepting the condition.


10.4.BID PRICING SCHEDULE

Note:a) Bidder must complete the pricing as per table below (or as per the attached spread sheet if applicable).

b) Line Prices are all VAT EXCLUDING, and TOTAL PRICE is VAT INCLUSIVE

(1) PRODUCT OR SERVICE PRICING

No

Product/Service description Total Price(VAT excl.)

Price YEAR 1(VAT excl.)



1. Vulnerability Management Licensing Primary Solution (including monitoring of 1000 assets and all licences for year 1)*

2. Annual License Renewal – Primary Solution (year 2-3)*

3. On-site maintenance and support (year 1-3)4. SUBTOTAL (VAT Excl.)5. VAT (14%)6. SUBTOTAL (VAT Incl.)* Pricing to include all patches, version upgrades, knowledge base updates and vulnerability library subscriptions.


(2) LUMP SUM DELIVERABLE PRICING

No Deliverable/Output Description Total Price(VAT Excl.)

1. Design, installation and implementation of Vulnerability Management Solution (3 months)2. Development and delivery of training manuals and material (Year 1)3. On-Site skills transfer and training of the dti resources (Year 3)4. SUBTOTAL (VAT Excl.)5. VAT (14%)6. SUBTOTAL (VAT Incl.)

(3) BID TOTAL

No Deliverable/Output Description Total Price(VAT Inclusive)

1. Product and Services Pricing (from table 1)2. Deliverable Pricing (from table 2)3. 3-YEAR BID TOTAL


(4) RATE OF EXCHANGE PRICING INFORMATION

Provide the TOTAL BID PRICE for the duration of Contract and clearly indicate the Local Price and Foreign Price, where –(a) Local Price means the portion of the TOTAL price that is NOT dependent on the Foreign Rate of Exchange (ROE) and;

(b) Foreign Price means the portion of the TOTAL price that is dependent on the Foreign Rate of Exchange (ROE).

(c) Exchange Rate means the ROE (ZA Rand vs foreign currency) as determined at time of bid.

No Description Price YEAR 1(Vat Excl.)

Price YEAR 2(VAT Excl.)

Price YEAR 3(VAT Excl.)

1. LOCAL Price (ZAR)2. FOREIGN Price (ZAR)3. Exchange Rate4. SUBTOTAL (VAT Excl.)5. VAT (14%)6. TOTAL (VAT Incl.)7. BID TOTAL


SBD 3.1PRICING SCHEDULE – FIRM PRICES

(PURCHASES)

NOTE: ONLY FIRM PRICES WILL BE ACCEPTED. NON-FIRM PRICES (INCLUDING PRICES SUBJECT TO RATES OF EXCHANGE VARIATIONS) WILL NOT BE CONSIDERED

IN CASES WHERE DIFFERENT DELIVERY POINTS INFLUENCE THE PRICING, A SEPARATE PRICING SCHEDULE MUST BE SUBMITTED FOR EACH DELIVERY POINT

Name of bidder: ………………………………………………………… Bid number:

Closing Time: 11:00 Closing date:

OFFER TO BE VALID FOR ……… DAYS FROM THE CLOSING DATE OF BID._______________________________________________________________________________ITEM QUANTITY DESCRIPTION BID PRICE IN RSA CURRENCYNO. ** (ALL APPLICABLE TAXES INCLUDED)

_______________________________________________________________________________

- Required by: THE STATE INFORMATION TECHNOLOGY AGENCY SOC LTD

- At: …………………………………………………

…………………………………………………

- Brand and model: …………………………………………………

- Country of origin: …………………………………………………

- Does the offer comply with the specification(s)? *YES/NO

- If not to specification, indicate deviation(s) ………………………………….

- Period required for delivery ………………………………….*Delivery: Firm/not firm

- Delivery basis ……………………………………

Note:All delivery costs must be included in the bid price, for delivery at the prescribed destination.

** “all applicable taxes” includes value- added tax, pay as you earn, income tax, unemployment insurance fund contributions and skills development levies.*Delete if not applicable


ANNEX A.5: TECHNICAL SCHEDULES

11. Technical SchedulesInclude the schedules that that are referenced in the technical specifications sections.

11.1.LOCATION SCHEDULE

The Department of Trade and Industry, 77 Meintjies Street, Sunnyside, Pretoria, Gauteng, 0002

11.2.EQUIPMENT AND QUANTITY SCHEDULE

N/A

11.3.SOLUTION ARCHITECTURE

Refer section 3.2

11.4.SERVICES AND PERFORMANCE SCHEDULE

Refer section 3.3

11.5.PROJECT AND DELIVERY SCHEDULE

Refer section 9.2


ANNEX A.6: Terms and definitions

1. ABBREVIATIONSIn alphabetical order

ARP Address Resolution ProtocolCIO Chief Information OfficerCIS Center for Internet SecurityCSD Central Supplier DatabaseCVE Common Vulnerabilities and ExposuresDNS Domain Name ServicesICMP Internet Control Message ProtocolICT Information and Communication TechnologyIDS Intrusion Detection SystemIP Internet ProtocolIPS Intrusion Prevention Systemkb/s Kilobytes per secondLDAP Lightweight Directory Access ProtocolMAC Media Access ControlOCIO Office of the Chief Information OfficerOS Operating SystemOWASP Open Web Application Security ProjectPCI Payment Card IndustryPOC Proof of ConceptPPPFA Preferential Procurement Policy Framework ActRADIUS Remote Authentication Dial-In User ServiceRFB Request For BidRFQ Request For QuoteSAN Storage Area NetworkSANS System Administration, Networking and SecuritySITA State Information Technology Agencythe dti The Department of Trade and IndustryWAN Wide Area Network

2. DEFINITIONS


ANNEX A.7: BIDDER SUBSTANTIATING EVIDENCE

This section is reserved for the bidder to provide information related to the substantiating evidence or comments in the format as required by the bid specification (e.g. text, graphical representation, diagrams, statistical reports, lists, reference letters, copies of product of solution documentation, certificates, licences, memberships, etc.).

Note: The evidence provided in this section will be used by the bid evaluation committee to evaluate the bid. Therefore, each piece of substantiating evidence must be cross referenced to requirements specification section.


ANNEX B: LOCAL CONTENT REQUIREMENTS (SBD 6.2)DECLARATION CERTIFICATE FOR LOCAL PRODUCTION AND CONTENT FOR DESIGNATED SECTORS

This Standard Bidding Document (SBD) must form part of all bids invited. It contains general information and serves as a declaration form for local content (local production and local content are used interchangeably).

Before completing this declaration, bidders must study the General Conditions, Definitions, Directives applicable in respect of Local Content as prescribed in the Preferential Procurement Regulations, 2011, the South African Bureau of Standards (SABS) approved technical specification number SATS 1286:2011 (Edition 1) and the Guidance on the Calculation of Local Content together with the Local Content Declaration Templates [Annex C (Local Content Declaration: Summary Schedule), D (Imported Content Declaration: Supporting Schedule to Annex C) and E (Local Content Declaration: Supporting Schedule to Annex C)].

1. General Conditions

1.1. Preferential Procurement Regulations, 2011 (Regulation 9) makes provision for the promotion of local production and content.

1.2. Regulation 9.(1) prescribes that in the case of designated sectors, where in the award of bids local production and content is of critical importance, such bids must be advertised with the specific bidding condition that only locally produced goods, services or works or locally manufactured goods, with a stipulated minimum threshold for local production and content will be considered.

1.3. Where necessary, for bids referred to in paragraph 1.2 above, a two stage bidding process may be followed, where the first stage involves a minimum threshold for local production and content and the second stage price and B-BBEE.

1.4. A person awarded a contract in relation to a designated sector, may not sub-contract in such a manner that the local production and content of the overall value of the contract is reduced to below the stipulated minimum threshold.

1.5. The local content (LC) expressed as a percentage of the bid price must be calculated in accordance with the SABS approved technical specification number SATS 1286: 2011 as follows:

LC = [1 - x / y] * 100

Wherex is the imported content in Randy is the bid bid price in Rand excluding value added tax (VAT)

Prices referred to in the determination of x must be converted to Rand (ZAR) by using the exchange rate published by South African Reserve Bank (SARB) at 12:00 on the date of advertisement of the bid as indicated in paragraph 4.1 below.

The SABS approved technical specification number SATS 1286:2011 is accessible on http:/www.thedti.gov.za/industrial development/ip.jsp at no cost.


1.6 A bid may be disqualified if –

(a) this Declaration Certificate and the Annex C (Local Content Declaration: Summary Schedule) are not submitted as part of the bid documentation; and

(b) the bidder fails to declare that the Local Content Declaration Templates (Annex C, D and E) have been audited and certified as correct.

2. Definitions

2.1. “bid” includes written price quotations, advertised competitive bids or proposals;

2.2. “bid price” price offered by the bidder, excluding value added tax (VAT);

2.3. “contract” means the agreement that results from the acceptance of a bid by an organ of state;

2.4. “designated sector” means a sector, sub-sector or industry that has been designated by the Department of Trade and Industry in line with national development and industrial policies for local production, where only locally produced services, works or goods or locally manufactured goods meet the stipulated minimum threshold for local production and content;

2.5. “duly sign” means a Declaration Certificate for Local Content that has been signed by the Chief Financial Officer or other legally responsible person nominated in writing by the Chief Executive, or senior member / person with management responsibility (close corporation, partnership or individual).

2.6. “imported content” means that portion of the bid price represented by the cost of components, parts or materials which have been or are still to be imported (whether by the supplier or its subcontractors) and which costs are inclusive of the costs abroad (this includes labour or intellectual property costs), plus freight and other direct importation costs, such as landing costs, dock duties, import duty, sales duty or other similar tax or duty at the South African port of entry;

2.7. “local content” means that portion of the bid price which is not included in the imported content, provided that local manufacture does take place;

2.8. “stipulated minimum threshold” means that portion of local production and content as determined by the Department of Trade and Industry; and

2.9. “sub-contract” means the primary contractor’s assigning, leasing, making out work to, or employing another person to support such primary contractor in the execution of part of a project in terms of the contract.

3. The stipulated minimum threshold(s) for local production and content (refer to Annex A of SATS 1286:2011) for this bid is/are as follows:


Description of services, works or goods Stipulated minimum threshold

_______________________________ _______%

_______________________________ _______%

_______________________________ _______%

4. Does any portion of the services, works or goods offered have any imported content?

(Tick applicable box)

YES NO

4.1 If yes, the rate(s) of exchange to be used in this bid to calculate the local content as prescribed in paragraph 1.5 of the general conditions must be the rate(s) published by SARB for the specific currency at 12:00 on the date of advertisement of the bid.

The relevant rates of exchange information is accessible on www.reservebank.co.za.

Indicate the rate(s) of exchange against the appropriate currency in the table below (refer to Annex A of SATS 1286:2011):

Currency Rates of exchangeUS DollarPound SterlingEuroYenOther

NB: Bidders must submit proof of the SARB rate (s) of exchange used.

5. Were the Local Content Declaration Templates (Annex C, D and E) audited and certified as correct?(Tick applicable box)

YES NO

5.1. If yes, provide the following particulars:

(a) Full name of auditor: ………………………………………………………(b) Practice number:………………………………………………………………………..(c) Telephone and cell number: ……………………………………………………………….(d) Email address: ………………………………………………………………………..

(Documentary proof regarding the declaration will, when required, be submitted to the satisfaction of the Accounting Officer / Accounting Authority)


http://www.reservebank.co.za/

6. Where, after the award of a bid, challenges are experienced in meeting the stipulated minimum threshold for local content the dti must be informed accordingly in order for the dti to verify and in consultation with the AO/AA provide directives in this regard.

LOCAL CONTENT DECLARATION(REFER TO ANNEX B OF SATS 1286:2011)

LOCAL CONTENT DECLARATION BY CHIEF FINANCIAL OFFICER OR OTHER LEGALLY RESPONSIBLE PERSON NOMINATED IN WRITING BY THE CHIEF EXECUTIVE OR SENIOR MEMBER/PERSON WITH MANAGEMENT RESPONSIBILITY (CLOSE CORPORATION, PARTNERSHIP OR INDIVIDUAL)

IN RESPECT OF BID NO. .................................................................................

ISSUED BY: (Procurement Authority / Name of Institution):

.........................................................................................................................

NB

1 The obligation to complete, duly sign and submit this declaration cannot be transferred to an external authorized representative, auditor or any other third party acting on behalf of the bidder.

2 Guidance on the Calculation of Local Content together with Local Content Declaration Templates (Annex C, D and E) is accessible on http://www.thedti.gov.za/industrial_development/ip.jsp. Bidders should first complete Declaration D. After completing Declaration D, bidders should complete Declaration E and then consolidate the information on Declaration C. Declaration C should be submitted with the bid documentation at the closing date and time of the bid in order to substantiate the declaration made in paragraph (c) below. Declarations D and E should be kept by the bidders for verification purposes for a period of at least 5 years. The successful bidder is required to continuously update Declarations C, D and E with the actual values for the duration of the contract.

I, the undersigned, …………………………….................................................... (full names),do hereby declare, in my capacity as ……………………………………… ………..of ...............................................................................................................(name of bidder entity), the following:

(a) The facts contained herein are within my own personal knowledge.

(b) I have satisfied myself that:

(i) the goods/services/works to be delivered in terms of the above-specified bid comply with the minimum local content requirements as specified in the bid, and as measured in terms of SATS 1286:2011; and

(ii) the declaration templates have been audited and certified to be correct.

(c) The local content percentage (%) indicated below has been calculated using the formula given in clause 3 of SATS 1286:2011, the rates of exchange indicated in paragraph 4.1 above and the information contained in Declaration D and E which has been consolidated in Declaration C:


http://www.thedti.gov.za/industrial_development/ip.jsp

Bid price, excluding VAT (y) RImported content (x), as calculated in terms of SATS 1286:2011 RStipulated minimum threshold for local content (paragraph 3 above)Local content %, as calculated in terms of SATS 1286:2011

If the bid is for more than one product, the local content percentages for each product contained in Declaration C shall be used instead of the table above.The local content percentages for each product has been calculated using the formula given in clause 3 of SATS 1286:2011, the rates of exchange indicated in paragraph 4.1 above and the information contained in Declaration D and E.

(d) I accept that the Procurement Authority / Institution has the right to request that the local content be verified in terms of the requirements of SATS 1286:2011.

(e) I understand that the awarding of the bid is dependent on the accuracy of the information furnished in this application. I also understand that the submission of incorrect data, or data that are not verifiable as described in SATS 1286:2011, may result in the Procurement Authority / Institution imposing any or all of the remedies as provided for in Regulation 13 of the Preferential Procurement Regulations, 2011 promulgated under the Preferential Policy Framework Act (PPPFA), 2000 (Act No. 5 of 2000).

SIGNATURE: DATE: ___________

WITNESS No. 1 DATE: ___________

WITNESS No. 2 DATE: ___________

END OF SBD 6.2


LOCAL CONTENT TARGETS

The table below depicts the sectors/sub-sectors/industry goods that have been designated by the DTI with a minimum threshold for local content.

No. Sector/sub-sector/ industry Minimum thresholds for local content

Bid specification requirements designated by

DTI (indicate with “X”)

SITA local content target

(%)

1 Buses (bus body) 80%2 Textiles, clothing, leather and

footwear100%

3 Power pylons 100%4 Canned/processed vegetables 80%5 Pharmaceutical products:

OSD tender Family planning tender

70% volumes50% value

6 Rolling stock 65%7 Set top boxes 30%8 Furniture products:

Office furniture School furniture Base and mattress

85%100%90%

9 Solar water heater components 70%10 Electrical and telecom cables 90% X 90%11 Valves products and actuators 70%12 Residential electricity meter:

Prepaid electricity meters Post-paid electricity meters Smart meters

70%70%50%

13 Working vessels/boats (all types):Components

60%10%-100%


bid specification template - welcome to … 1437... · web viewavaya cs1000e voip telephony...

Documents