NTPC Limited

(A Government of India Enterprise)

EXPRESSION OF INTEREST (EOI)

FROM INDIAN FIRMS

FOR

DEVELOPMENT OF NTPC’S OWN

E-PROCUREMENT SOLUTION

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

1.0DISCLAIMER

1.1NTPC, reserves the right not to proceed further, to change the process or procedure to be applied. It also reserves the right to decline to discuss further with any party expressing interest.

1.2No reimbursement of cost of any type will be paid to persons, entities, or consortiums expressing interest.

2.0BACKGROUND

NTPC is India’s largest power utility with an installed capacity of 62,110 MW (including JVs) comprising 24 coal based, 7 gas based, 1 Hydro 1 Wind 11 Solar and 1 Small hydro plant, plans to become a 130 GW company by 2032. Established in 1975, NTPC aims to be the world’s largest and best power major. NTPC has taken various digital initiatives which interalia includes implementation of SAP ERP, paperless office and e tendering mainly through SRM, GePNIC (Government E procurement NIC) and ETS portal for faster exchange of information, uniform business process, better control of operation, decision etc.

3.0PURPOSE OF THE EOI

3.1NTPC presently carrying out e tendering through GePNIC (Government E procurement NIC) portal for simple and low value tenders and SRM portal for large and complex tenders. In order to obviate the need of separate portals to deal with different requirement of tendering processes, NTPC desires to explore the possibility of developing comprehensive portal catering to the requirements of complete procurement cycle of both simple and complex packages from issuance of NIT to completion of Reverse/ forward Auction (wherever applicable) and its forward and backward integration with existing SAP ERP system of NTPC.

3.2NTPC invites ‘Expression of Interest’ (EOI) from all reputed Indian firms who have experience of successful design/ develop/customize/ implement e-tendering solutions or similar features type of software applications for industrial/Services /government sector. The details received in EOI shall be used to set the qualification criteria for agencies, Subsequently competitive bidding shall be carried out for selection of agency for development of NTPC’s own e procurement solution.

4.0SCOPE OF WORK

4.1 The e procurement portal should be able to cater following types of tenders:

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

(i)Single tender/Limited tender/Open Tender

Domestic Competitive Bidding/International Competitive Bidding

(ii)Tender in both Indian Rupees and Multiple currencies

(iii)Single Stage Single Envelope/ Single Stage Two Envelope/Two Stage Bidding

(iv)Reverse Auction /Forward Auction.

(v)Tenders of Rate Contract.

(vi)Tenders for Enlistment of agencies

4.2The e-procurement system shall be integrated with existing SAP-ERP system of NTPC to exchange various information related to tendering as forward and backward linkage.

4.3The retention of documents on portal shall be for a period of 15 years

4.4The system shall be designed for uploading of tender/bid upto 500 MB size.

4.5The e procurement portal should handle approx. 18 to 20 thousand tenders per annum

4.6The e-procurement system should cater the requirements of complete procurement cycle from issuance of NIT to completion of Reverse/ forward Auction along with bucket filling, dynamic/ static loading as applicable.

4.7It should have functionality for payment of Tender fee, Bid Security (ie Earnest Money Deposit) as per instructions of the Buyer, either online at the time of online bid‐submission (subject to the payment limits of the Payment Gateway), or payable offline parallel to the online bid‐submission before the bid‐submission deadline.

4.8It should have functionality for recording important milestones of Contract Execution which would include submission of Performance Security by the successful bidder(s).

4.9NTPC in future may also allow other organizations to use this e procurement portal for tendering. According, the portal should have system provisions to enable tendering by users of other organizations.

4.10The e-Procurement/ e-tendering solution to be designed/ developed and implemented for NTPC Limited should be fully compliant with DeitY- Guidelines dated 31-08-2011. In order to conform to the quality requirements of e-procurement solution, bidder shall get the e-procurement system audited & certified by STQC & obtain STQC Compliance certificate.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

Salient features based on DeitY-Guidelines are as follows: (Applicants may refer the Deity Guidelines for details):

i)Fully Compliant with IT Act 2000 (and its Amendment 2008) and CVC Guidelines.

ii)Implementation of Bid Encryption at Client End (i.e. Bidder’s Computer) using symmetric key or asymmetric key (PKI based).

iii)Bids before transmission from Bidder’s computer should be protected with SSL Encryption.

iv)E-procurement system should deploy PKI based technologies for authenticating the bids & opening electronic tender box. Secure methodology for decrypting the bids should be deployed corresponding to encryption methodology deployed (viz. Symmetric or PKI based asymmetric).

v)E-procurement Application should have audit trail facilities.

vi)E-procurement system should not provide read access to password to the Administrator. E-procurement system further should not have “forgot password” feature which provides administrator generated or system generated temporary password. Once password is forgotten, a new password may be allotted following a set of processes needed for allotment of password.

vii)E procurement application should have provisions of ensuring validation of PKI signature through Certificate revocation list and validity of certificate.

viii)Time stamping facility should be there in the e-procurement application for time stamping of all important events like – creation of tender notice, approval of tender notice/tender documents, submission of bids & supplementary bids.

ix)Opening of the bids in the simultaneous online presence of the bidders with proper online attendance record of the authorized representatives of the bidders. Merely opening bids online, and then subsequently displaying some results to the bidders does not fulfil the requirements of a transparent Online Public Tender Opening Event. While bidders should be welcome to be present physically during the TOE, it should not be mandatory for them to do so. All the above should be achieved online in a user friendly manner.

x)Security Checks to assure bidders of non‐tampering of their bids, et al during the online TOE itself.

xi)One‐by‐one opening of the sealed bids in the simultaneous online presence of the bidders.

xii)Online verification of the digital signatures of bidders affixed to their

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

respective bids

xiii)The audit for certification of the entire e-procurement solution shall be undertaken from STQC after its deployment & prior to its usage .

4.11Scope of IT Infrastructure

1.The scope involves supply , installation , commissioning , monitoring and maintenance of all IT hardware and software necessary for the solution.

2.The Infrastructure can be provided in two options

Option 1

i)All the hardware needed but not limited to Servers, Storage, Network equipments, Load balancer, backup devices etc shall be supplied, installed, commissioned and maintained in both DC and DR .

ii)All the software and software licenses needed but not limited to Operating System, application software, databases, backup, replication, load balancer etc shall be supplied, installed, commissioned and maintained in both DC and DR.

iii)Data replication for all databases will be done between DC and DR and necessary tools for replication and monitoring shall be supplied,installed , commissioned and maintained .The RPO will be 15 minutes and RTO 6 hours

iv)There will be no single point of failure in the solution .

v)The infrastructure will be supplied , installed, commissioned and maintained with a warranty for a period of 6 years.

vi)The bidder to carry out the sizing of the hardware and software required for the solution.

vii)The complete system will be maintained with 99.5 % availability throughout the period of the contract.

Option 2

i)All the hardware needed but not limited to Servers, Storage , Network equipments , Load balancer, backup devices etc shall be supplied, installed, commissioned and maintained in a private cloud

ii)All the software licenses needed but not limited to Operating System , application software, databases , backup ,replication , load balancer etc shall be supplied ,installed, commissioned and maintained in a private cloud.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

iii)The bidder shall be responsible for the tie up with the cloud service provide for a period of at least 6 years. The cloud service provider shall be MEITY certified with data centre in India.

iv)There will be no single point of failure in the solution.

v)The bidder will carry out the sizing of the hardware and software required for the solution to be hosted in the private cloud

vi) The complete system will be maintained with 99.5 % availability throughout the period of the contract.

vii)All the necessary steps to ensure security of data will be carried out by the bidder.

viii)The bidder shall provide the details of the back to back agreement of the tie up with cloud service provider.

ix)The bidder shall clearly provide the exit plan from the cloud service provider. The bidder will be responsible for migration, installation and commissioning of the system, in case of change of service provider, to the new cloud service provider.

5 INFORMATION REQUIRED AS PART OF EOI

5.1Prospective parties are required to submit the information as mentioned below along with their EOI in the attached Formats:

•Company profile

•Annual Report including Balance sheets for last five years.

•Past Experience details.

•Implementation methodology

•Financial Capability

•Quality Assurance System/Certification

•Qualification and Experience of Technical & skilled manpower

•Any other relevant information in this regard.

6 INSTRUCTIONS TO THE APPLICANTS

6.1All costs incurred by Applicant for preparing and submitting the EOI, in providing clarification or attending discussion/ meeting or for site visits, stationery, or any other expenses whatsoever shall be borne by Applicant’s themselves.

6.2This Expression of Interest document is not transferable.

6.3The language for submission of document shall be English.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

6.4The enclosed Annexures shall be filled in completely and wherever not applicable it should be written as “Not Applicable”.

6.5The person signing the document submission on behalf of the Applicant shall enclose Power of Attorney duly authorized and notarized for the same. The Power of Attorney shall be backed by copy of the board resolution of Company.

6.6Financial data should be given in Indian Rupees only.

6.7The information furnished with the EOI must be sufficient for processing and assessment.

6.8In case the Applicant intends to give additional information for which specified space in the given format is not sufficient, it can be furnished in enclosed sheets.

6.9All the pages of the EOI and Annexure should be signed and corrections and over writings should be countersigned by the authorized signatory.

6.10NTPC reserves the right to cross check and confirm the information details furnished by the Applicants in the document.

7 Deadline for Submission of EOI

7.1EOI must be submitted through email no later than 15:00 Hrs 02.07.2020. EOI received after aforesaid deadline shall not be entertained.

NTPC may, at its discretion, extend this deadline for submission of EOI in which case all rights and obligations of Employer and applicant will thereafter be subject to the deadline as extended.

8 SIGNATURE AND SUBMISSION

8.1All the Applications must be submitted duly signed by the Applicant under the format for the letter of application which is provided along with this document.

8.2The signed proposal along with all the documentary evidences and with all the Annexures filled and signed must be submitted through email on or before the prescribed date and time as per details given below:

DGM (Contract Services)

NTPC Ltd, Engineering Office Complex,

A-8A, Sector 24, NOIDA

Distt. Gautam Budh Nagar, U. P., PIN: 201 301

Tel.No : 9479496797 , 9650992301

Email: vipinsharma01@ntpc.co.in , abhishekjain02@ntpc.co.in

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

8.3NTPC may seek additional information from interested parties who respond to this EOI. However, NTPC reserves the right of not acting upon the EOI or asking for fresh EOI at a later date.

8.4Prospective parties may note that mere submission of EOI and/or submission of additional information do not automatically entitle them to claim for qualification. NTPC at its sole discretion may invite or modify or annul the process without assigning reason whatsoever.

9 RIGHT TO ACCEPT OR REJECT APPLICATION

9.1Not withstanding anything contained in this EOI, NTPC reserves the right to accept or reject any Application and annul the process and reject all Applications at any time without any liability or any obligation for such acceptance, rejection or annulment without any reasons.

(to be submitted by the agency on the Company’s Letter Head)

DGM (Contract Services)

NTPC Ltd, Engineering Office Complex,

A-8A, Sector 24, NOIDA- 201 301

(Applicant to Provide Date and Reference)

Dear Sir,

Sub: LETTER FOR APPLICATION – EXPRESSION OF INTEREST (EOI) FOR ‘DEVELOPMENT OF NTPC’S OWN E-PROCUREMENT SOLUTION

We, the undersigned, express our interest for the subject EOI and declare the following:

(a)We are duly authorized to represent and act on behalf of ________________

(hereinafter the “Applicant”)

(b)We have examined and have no reservations to the EOI Document including Amendment No(s) & Clarification No(s) __________________(if any).

(c)We are attaching with this letter, the documents defining: -

i)the Applicant’s legal status;

ii)its principal place of business; and

iii)its place of incorporation (if Applicants are corporations); or its place of registration (if Applicants are partnerships or individually owned firms).

(d)With reference to your invitation for EOI dated ________, we are furnishing herewith all the required details as per the prescribed formats along with the necessary documentary evidence in support of our Application.

(e)NTPC and/or its authorized representatives are hereby authorized to conduct any inquiries or investigations to verify the statements, documents and information submitted in connection with this application, and to seek clarification from our bankers and clients. This Letter of Application will also serve as an authorization for any individual or authorized representative of any institution referred to in the supporting information, to provide such information deemed necessary and as requested by NTPC.

(f)NTPC and/or its authorized representatives may contact the following nodal persons for further information on any aspects of the Application:

(g)This application is made in the full understanding that:

i)EOI process will be subject to verification of all information submitted at the discretion of NTPC.

ii)NTPC reserves the right to reject or accept any or all applications, cancel the EOI process without any obligation to inform the applicant about the grounds of same; and

iii)Mere submission of EOI and/or submission of additional information do not automatically entitle us to claim for qualification/enlistment.

(h)We declare that we have read and abide by the provisions of Fraud Prevention Policy of NTPC and submit the form of Acceptance of Fraud Prevention Policy duly filled in Employer’s format.

(i)We declare that we have not engaged any agent or middleman for this EOI process or any other part of the tendering process arising from it. We have not paid / will not be paying any commissions, gratuities or fees with respect to the ongoing EOI process.

(j)The undersigned declare that the statements made and the information provided in the duly completed application are complete, true, and correct in every detail. We also understand that in the event of any information furnished by us being found later on to be incorrect or any material information having been suppressed, NTPC may delete our name from the list of qualified Applicants:

NAME

In the Capacity of

Signed

Duly authorized to sign the Application for and on behalf of

Date

ANNEXURE -I

PAGE 1 of 2

(COMPANY PROFILE)

1.Name of the company / firm / organization

2.Postal address for communication

3.Contact Person & Designation :

4.Business Profile of the company (Enclosed)

5.Ownership structure of the company

6.Brief profile of the Board members/ Partners

ANNEXURE -I

PAGE 2 of 2

7.Following certificates as relevant are enclosed:

Certified Photocopy of the Partnership Deed, with upto date amendments (if any) (YES/NO)

Copy of Memorandum and Article of Association of Company duly certified as ‘True Copy’ by Company’s Secretary with Company seal. (YES/NO)

Copy of Firm Registration Certificate issued by the Registrar of Companies Concerned (YES/NO)

Copy of Certificate of Incorporation of the Company. (YES/NO)

Power of Attorney executed by Competent Officer under the common seal of the Company duly authorizing the signee to submit ‘Expression of Interest’ (YES/NO)

ANNEXURE -II

PAGE 1 of 2

(DETAILS OF FINANCIAL STATUS)

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

A)Please furnish the following financial figures in Rupees for preceding five financial years:

B)Annual Reports including Balance Sheet and Profit & Loss Account duly Certified by

a Chartered Accountant for the preceding 5 financial years is to be submitted.

Enclosed at Appendix : ----

ANNEXURE -II

PAGE 2 of 2

D)Details of all pending court/arbitration cases of the applicant as on 31.03.2020

1)Number of cases:_________________________

2)Aggregate value of claims/disputed amount on account of such cases (in Rs. Cr.):____________________

*Please specify the foreign exchange rate considered for the conversion purpose.

**If the financial year of accounting for a agency is other than April to March, the facts may accordingly be mentioned based on its accounting year clearly bringing out the period.

Note : Continuation sheets of same size and format may be added

ANNEXURE -III

PAGE 1 of 1

IMPLEMENTATION METHODOLOGY FOR DEVELOPMENT OF E PROCUREMENT SOLUTION

(If required , applicants can be asked for a Presentation / discussion wrt scope of work and past experiences and implementation methodology)

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following details: (use additional sheets if required)

------------------------------------------------------------------------------------------------------------

Overall

------------------------------------------------------------------------------------------------------------

ANNEXURE -IV

PAGE 1 of 1

(QUALITY ASSURANCE SYSTEM/CERTIFICATION)

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following details:

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

ANNEXURE -V

PAGE 1 of 1

(ADDITIONAL INFORMATION SCHEDULE)

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following additional information:

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

ANNEXURE -VI

PAGE 1

1.0The details of the technical manpower in different areas on rolls with us are as under:

(a)Total technical manpower on rolls with us (with qualification details) are as under

(b)The experience details of the above technical manpower on rolls with us in different areas are as under:

2Other areas (To be mentioned by Bidders)

3

4

5

..

….

….

2.0We confirm that we have appropriate qualified manpower required to undertake the subject work . The details of the individual technical manpower on rolls with us are as under:

Note: 1) Use additional sheets with above format, if required.

2) Agency to furnish details of only those personnel who are on the rolls of the company for one or more than one year.

ANNEXURE VII

Page 1 of 1

Details of works related to e-procurement solution designed/ developed/customized/executed or similar works during last 10 years is as given below:

Note: The work which is completed in the last ten (10) year period specified above even if it has been started earlier, the same may also be considered.

ANNEXURE -VIII

PAGE 1 of 1

(FORM OF ACCEPTANCE OF FRAUD PREVENTION POLICY)

Ladies and / or Gentlemen,

We have read the contents of the Fraud Prevention Policy of NTPC displayed on its tender website http://www.ntpctender.com and undertake that we along with our associate/ collaborator / subcontractors/subvendors/ consultants/service providers shall strictly abide by the provisions of the Fraud Prevention policy of NTPC.

Yours faithfully,

Guidelines for compliance to

Quality requirements of eProcurement Systems

STQC Directorate

Department of Information Technology,

Ministry of Communications & Information Technology,

Electronics Niketan, 6 CGO Complex, Lodhi Road,

New Delhi – 110003

Dt: 31.08.2011

CONTENTS

1.0Introduction

2.0Operating Models of eProcurement System

3.0Specific requirements of eProcurement System

4.0Requirements of Conformity

5.0Testing framework for Quality and Security Characteristics

6.0Evaluation & Certification process

Annexures

Annexure‐I : Risks of eProcurement Systems and related ISO 27001 controls

Annexure‐II : Checklist for eSecurity Compliance (including CVC Guidelines)

Annexure‐III : Checklist for compliance to GOI procurement procedures (GFR)

Annexure‐IV : Checklist for legal compliance (IT Act – Amendment 2008)

Annexure‐V : Definitions and Reference Documents

Reference documents:

1.eTendering Process

2.eTendering Glossary

3.eProcurement Integrity Matrix

4.OWASP (Open Web Application Security Project) Top10 Application Security Risks‐ 2010

5.Business requirements specification‐ cross industry e‐Tendering process (Source CWA 15666)

2

1.0Introduction

1.1Background

The public sector is one of the biggest purchasers of goods & services in the economy. The Government of India acknowledges that automating procurement process using electronic tools/techniques and enabling opportunities to suppliers fully supports the objective of non‐discrimination, fair & open competition. eProcurement is identified as a mission mode project under national eGovernance plan. The objective is to transform public sector purchase activity from labor intensive paper based to efficient eProcurement process.

Electronic Procurement (eProcurement) is the use of Information and Communication Technology (specially the Internet) by the buyer (in this case Government) in conducting their procurement processes with supplier for the acquisition of goods (supplies), works and services. Use of Information Technology promotes the aims of open, non‐discriminatory and efficient government procurement through transparent procedures.It is the technology‐enabled acquisition of goods and services, required by an organisation, at the best value obtainable in the most efficient manner possible.

The factors driving the adoption of eProcurement are:

∙Reduced purchasing cost and improved efficiency

∙Standardized purchasing processes across the organization

∙Reduced administrative costs with better effectiveness

∙Significant reduction in the procurement cycle

∙Reduced discretion

At the same time the inhibitors to adoption are:

∙Lack of supplier readiness

∙System integration issues (compatibility and interoperability)

∙Confidence on the system (Security, Functionality and Performance)

∙Insufficient skilled staff

eProcurement involves a set of technology solution which concentrate on different key areas of procurement such as

∙e‐Tendering,

∙e‐Auction or Reverse Auction,

∙e‐Catalogue/Purchasing,

∙eMarket Place,

∙e‐Invocing etc.,.

The focus of the current Guidelines is mainly on e‐Tendering, (i.e. tendering with encrypted bids, the equivalent of which in the manual context would be ‘sealed bids’).

This document provides the guideline for compliance to quality requirements of eProcurement systems. The essential quality characteristics of eProcurement system cover Security, Transparency & Functionality.

3

1.2General Requirements of eProcurement System

The basic requirements of any eProcurement system are to achieve the goal of Government procurement, standardisation of procurement processes and information entities in an efficient and transparent way. Hence the key requirements are to:

∙Address the requirement of GFR

For public procurement of goods, services, works (e.g. construction) compliance with GFR rules, processes, roles (purchasing officer, local purchasing committee etc) are mandatory requirements. The GFR rules needs to be applied into the application workflow of e‐tendering process. eProcurement System should be designed as per defined workflow with adequate security measures.

∙Confidentiality and Integrity of Information

The key requirement of procurement in public service organisation is to maintain the confidentiality & integrity of the information in procurement life cycle to protect the interest of buyer & supplier and to encourage the competitiveness in the business. The e‐procurement platform transacts confidential procurement data and is exposed to several security threats. This requires employing a combination of security technologies and security best practices which result in reduced threat of data loss, leakage or manipulation.

∙Address Vigilance Guidelines

The system should meet the requirements of guidelines issued from time to time by Central Vigilance Commission.

∙System Adaptability & customisation

eTendering System need to have templates to offer flexibility in bidding methodologies as prevailing and followed currently in the manual process. Further, system should have templates to adopt bidding methodologies as may be prescribed by respective authorities.

The aim of this document is to provide guidelines that could be followed for designing/developing some critical functionality in an e‐Procurement system as well as the necessary process for monitoring adherence to the security and transparency requirements of an e‐procurement system during the implementation and post implementation by the e‐procurement application developers, service providers and other stakeholders.

1.3Objective

To provide Guidelines for assuring Quality and Security of an e‐Procurement system so that confidence can be provided to its stakeholders that the system is secure, transparent, auditable & compliant with government procurement procedures.

1.4Target Audience

∙Purchase/ Head of Public Service Organization

∙eProcurement Service Provider

∙eProcurement Solution Provider/ Application Developer

∙Third Party Testing and Audit Organization

4

1.5.Approach

To achieve the above objective the following approach is recommended.

∙Evaluation of eProcurement System (including data, software, hardware, network, process) to ensure

−Correct & complete implementation of organisation procurement policies & procedures

−Compliance to GFR rules, CVC guidelines, IT Act (including amendments)

−Assuring Security by Design & Development (ie some critical security and transparency related functionality has to be built into the e‐procurement software application) , Implementation, Deployment & Use

−Security of Data Storage and Communication

−Performance

−Usability

−Interoperability

∙Identification of risks and concerns of e‐procurement system & providing the guidelines for mitigating the identified risks.

2.0Operating Models of eProcurement System

There are four operating models for eProcurement (Reference doc – 1)

i)Dedicated e‐Procurement System: the Government organization wishing to do e‐ Procurement, owns and controls the system infrastructure, and also controls all the procurement activities carried out.

ii)Outsourcing Model‐1 (Partial Outsourcing – Managed Services): The Government organization procures and owns the system, which is managed by service provider with adequate security controls. There is a risk that service providers may get access to vendor data. Issues relating to Official Secrets Act shall be considered for this model.

iii)Outsourcing Model‐2 (Partial Outsourcing – Infrastructure Support): The Government organization uses the eProcurement system of a Service Provider. The Service Provider also owns and controls the infrastructure. There is a risk that service providers may get access to vendor data & service provider start participating in core procurement process, Issues relating to Official Secrets Act shall be considered for this model.

iv)Outsourcing Model‐3 (Full Outsourcing (ASP) Model): Multiple Government organizations can register and themselves use the ASP’s portal for their various e‐tendering/ e‐auction activities with complete control of the all the ‘core tendering activities’ in their hands, without any intervention from the service provider. The registration/ deregistration activities, and the portal infrastructure is managed by the service provider with adequate security controls. In this case, essentially the Service Provider is only a platform‐provider. The powers and responsibility of the tendering process remains in the hands of the duly authorized officers of the government organizations, and does not get transferred to third party service providers as in ‘Outsourcing Model‐2 (Full Outsourcing)’. So while there is some outsourcing in respect of infrastructure, there is no outsourcing of the actual tendering/ procurement activities by the concerned user‐Government organizations.

5

All models of e‐procurement system must incorporate functionality, processes and technologies outlined in (Annexure I, II, III and IV), and especially apply countermeasures to mitigate known risks (Annexure‐I)

3.0Specific requirement of eProcurement System

3.1The service provider in consultation with the Purchase Officer shall establish the following process:

∙Business Process Re‐engineering switching from Manual Procurement to eProcurement. (Since Government tendering processes falls within a standard framework, only limited options should be given to the Purchase Officer. The service Provider/ Purchase Officer should not be able to reduce the essential security and transparency aspects of the system on the pretext of re‐engineering and customization]).

∙Implementation of Bid‐ Encryption at client‐end (ie bidder’s computer) using Symmetric Key, or Asymmetric Key (PKI‐based) subject to issues raised in Annexure‐I and II being suitably addressed

∙Bids before transmission from the bidder’s computer should be protected with SSL Encryption.

∙Functionality/ Security/ Transparency related Requirements of a Manual Tendering System and Conformance its Availability in the Offered eProcurement system (functionality requirements of GFR & CVC guidelines)

∙eProcurement System must have templates to offer flexibility in bidding methodology as prevailing and followed currently in the manner of processing. Further, the system should have templates to adopt bidding methodology as may be prescribed by the purchaser, as long as the methodology is a legally acceptable methodology.

∙eProcurement System should deploy PKI based technologies for authenticating the bids, and opening electronic tender box. Secure methodology for decrypting bids should be deployed corresponding to the encryption methodology deployed (viz symmetric, or PKI‐based asymmetric). The entire IT hardware infrastructure of E‐Procurement System which includes application software, hardware, and system software be hardened as relevant. The system must deploy anti‐spyware and anti‐spam with a provision to update regularly. The updation of these software on the E‐Procurement System be done using the offline updation mode. The E‐Procurement System must have software tools to protect the operating system from injection of spyware. The entire infrastructure be protected and secured at the perimeter level by installing firewalls and Intrusion Prevention System. The system be configured properly so as to detect any kind of Intrusion into IT system.

∙eProcurement System can be further secured by installing suitable security incident and event management mechanisms SIEM (Security Incident Event Management).

∙eProcurement application should have audit trail facilities.

∙The PKI Key Management System for authenticating the bids or other purposes must specify the holder of private key and public key. The procedure in this case may be prescribed.

∙eProcurement System should not provide read access to password to the Administrator. E‐Procurement System further should not have “forgot password” feature which provides administrator‐generated or system‐generated temporary password. Once the password is forgotten, a new password may be

6

allotted following a set of processes needed for allotment of password. The forget password request shall be digitally signed.

3.2The Purchase Officer of a Public Service Organisation (Government Department) must to ensure that e‐Procurement system which he intends to use complies with all the applicable requirements listed in Sections 3 and 4.

3.3The Purchase Officer must analyse the risk arising out of establishment of above mentioned processes and apply suitable controls. The annexure I,II,III and IV may be followed

3.4Escrowing of Source Code

The source code of the e‐procurement application software along with the modification/changes/patches which is implemented by the agency from time to time shall be escrowed with the agency nominated by the user organizations or government in case of dedicated portals.

An MOU would be entered between purchase officer/ purchase‐organization and service provider.

4.0Requirements of Conformity

4.1eProcurerement systems must address:

∙E‐procurement application should have provisions of ensuring validation of PKI signature through Certificate revocation list (CRL) and validity of certificate.

∙Shall have mechanism for time synchronisation by using time synchronisation service (TSS) at hosting level, or synchronisation with master‐server at the data‐ centre where the e‐procurement system is hosted

∙Time Stamping [facility should be there in the e‐procurement application for time‐stamping of all important events like – creation of tender notice, approval of tender notice/ tender documents, submission of bids and supplementary bids (like modification, substitution, alternatives), etc]

∙The system must confirm to GFR rules, processes, roles (purchasing officer, local purchasing committee etc.), compliance to CVC guidelines and Information Technology Act (including amendments) and other laws of the land as applicable.

4.2Other Requirements for Quality and Security Evaluation

:

The following conditions shall be agreed in writing by service provider

∙For Dedicated portal and ASP‐Model, the e‐procurement application should have facility for generating audit‐logs, which should be accessible (in downloadable such form) to a specially designated officer of the Purchase organization. For Outsourcing Models 1 and 3, e‐procurement service provider shall submit all the logs of transaction created by the e‐procurement solution including forensic image on quarterly basis or as prescribed by the user organization regularly and as and when demanded by the purchasers. The logs will be duly signed by the administrator of the service provider by his electronic signature.

∙The audit for certification of the entire e‐procurement solution shall be undertaken after its deployment and prior to its usage.

∙The e‐procurement solution including the computer server shall be installed in India. No data as captured/stored in the e‐procurement solution will be taken

7

out of India. However, bidder outside India should be able to quote and download permitted data/information.

∙The audit of the ‘ complete e‐procurement system’ shall be undertaken only on the request of the organization/agency who wish to use/install the system. Software application can be tested based on the request of the developer.

∙The e‐procurement solution shall need to be tested and audited again after it has been significantly modified (addition/ deletion of functions/ modules) or customized for a new organization whether stand alone or shared mode

∙The traffic emanating to and from eProcurement systems will be scanned if required by the authorised body. The traffic (netflow) emanating to and from eProcurement System may be provided to CERT‐IN.

Storage of Electronic Invoices

∙It is assumed that invoices transmitted electronically will be stored electronically. If public service organisation wish to store invoice in the paper form, same shall be provisioned in local purchase procedure approved from competent authority

∙For VAT purpose records must be retained for years as provided in the respective Act.

∙The records may be stored anywhere State Data Centre/PSU own data center. The only requirement is that of security, strategic control and record must be made available to public service organisation on demand within two working days.

8

5.0Testing framework for Quality and Security Characteristics

5.1eProcurement Quality and Security Assurance Model

A eProcurement Quality and Security Assurance Model is depicted below:

The Quality & Security evaluation model consist of four layers namely, Data, Application, Infrastructure and Process. Layer by layer assessment will ensure compliance with applicable requirements such as CVC, IT Act, GFR 2005 and concerns of other stakeholders.

5.2Description of the model

Brief description of the layers (from outermost to inner) is given below.

∙Process‐Layer

ISO 27001 Process Audit #

Verification of the IT security processes to ensure that secure and best practices are followed in operation and maintenance of the e‐Procurement System in line with international standard on Information Security Management System, ISO 27001/27002

To supplement the functionality built into the e‐procurement system, where some requirements of the e‐procurement system and allied processes are being addressed through organizational procedures under ISO 27001/ 27002, these should be explicitly defined with satisfactory explanations. At the time of certification/ audit, such procedures as outlined by the e‐procurement vendor / service provider in response to Annexure‐I , II, III of these Guidelines, shall be reviewed and evaluated.

Monitoring against agreed SLAs #

SLA monitoring shall ensure that the e‐procurement system is adhering to the agreed upon service related (i.e., user centric) as well as system related (i.e.,

9

technology centric) service quality requirements such as availability, performance, problem resolution, etc. While service related SLAs take care of the services delivery issues, the system related SLAs address IT technology (hardware, software and network) used in delivering the services.

∙Infrastructure Layer Architecture Review #

The review of e‐procurement system shall be done to ensure that the defined architecture of the e‐procurement system is adequate and suitable for meeting the various operational and service delivery requirements such as performance, security, availability, etc.

It is also recommended that once the e‐procurement system is deployed, the deployed architecture should be audited to verify its compliance against the defined architecture. The audit should cover logical positioning of various system components such as firewall, IDS/IPS, servers, load balancer, etc. In addition, end‐ to‐end transaction flows should be verified to ensure that they are going through the defined path by using dummy test transactions and analysis of logs at various layers. Certification body shall use standardized checklist for the criteria.

Vulnerability Assessment (Servers & Network Devices) #

System configuration checking or verification of hardening and vulnerability scanning shall be performed to find out weaknesses, vulnerabilities and mis‐configuration in the target hosts (Servers, Routers, Firewalls, Switches etc.) which hosts the e‐ procurement application system. Certification body shall use standardized checklist for the criteria.

Penetration Testing of the System #

Penetration Testing (PT) shall be normally done remotely from public domain (Internet) and also can be done from internal network to find out exploitable vulnerabilities. Series of testing conducted like information gathering from public domain, port scanning, system fingerprinting, service probing, vulnerability scanning, manual testing, password cracking etc. using state‐of‐the‐art tools (commercial and open source) and other techniques shall be used with the objective of unearthing vulnerabilities and weaknesses of the overall e‐procurement system and its underlying IT infrastructure. Certification body shall use standardized checklist for the criteria.

Performance Testing of the System #

Performance testing of the e‐procurement system shall be done to ensure that system is capable of handling defined user as well as transactional load. The performance testing of the e‐procurement system essentially means measuring the response time of the system for defined scenarios. While measuring the response time it is important to record the resource (CPU, Memory, etc.) utilization. The capacity of the e‐procurement system should be checked by systematically increasing the load on the system till performance degradation or system crash is encountered. Also the manner/ trend in which performance changes with load will determine the scalability of the e‐procurement system.

10

∙Application Layer Application Design Review #

(Note: This would be applicable only where ‘customized software development’ is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionality outlined in Annexures I, II and III of these Guidelines)

Design review covers the high level design and the low level (detailed) design of the e‐ procurement software application. It will ensure that software has been designed using best practices and design rules. The review will verify that the design has modularity, flexibility, low complexity, structural fan‐in & fan‐out and it is loosely coupled & highly cohesive. The correctness of logics and algorithms used in the detailed design should be verified including any zero day vulnerability in the algorithm.

Application Code review *

(Note: This would be applicable only where ‘customized software development’ is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionality outlined in Annexures I, II and III of these Guidelines)

The code review (i.e., static analysis) of the software application source code shall be carried out using tool and measure metrics such as lines of Code, Code Complexity, Fan‐in & fan‐out, Application Call Graph, Dead Codes, Rule Violation, Memory leaks etc. It is also recommended to perform walk through of the source code with code developer to verify the logics and algorithms used for correctness and optimization.

Special focus should be given to identify any unwanted functions (not required by the e‐procurement software application), as these ‘not to have functionalities’ can be potential security threats.

Application Functional Testing #

The functional testing of the e‐procurement software application shall be carried out to validate the application meets the specified functional requirements covering the work flows, navigations, and business & data Validation rules for the defined user categories with access rights. The functional testing should be done following black box approach and using end‐to‐end user scenarios.

(Note: Detailed scenarios would be prepared for each application software to be tested. This would include all important steps and scenarios of Government Tendering , as well as, ‘all issues’ outlined in Annexures I, II and III of these Guidelines)

Application Security Testing #

The test is conducted to unearth various application security vulnerabilities, weaknesses and concerns related to Data /Input Validation, Authentication, Authorization /Access Control, Session Management, Error Handling, Use of Cryptography, etc. Typical issues which may be discovered in an application security

11

testing include Cross‐site scripting, Broken ACLs/Weak passwords, Weak session management, Buffer overflows, Forceful browsing, Form/hidden field manipulation, Command injection, SQL injection, Cookie poisoning, Insecure use of cryptography,, Mis‐configurations, Well‐known platform vulnerabilities, Errors triggering sensitive information leak etc. OWASP (Open Web Application Security Project) guidelines are used for the testing.

(Note: Detailed scenarios would be prepared for each application software to be tested. This would tests to cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption. In addition, standard security tests, viz – Cert‐In, OWASP, FBI Top 20 (any other?) will be conducted)

Application Usability Testing *

Usability testing usually involves systematic observation under controlled conditions to determine how well people can use the product. e‐procurement system is used by users of different levels of computer knowledge. User expectation varies with different types of user. Usability testing will ensure that the all types of users are comfortable to use the system. This shall be done by using defined international standards which recommend extensive user interaction and analysis of user behaviour for a defined task.

Application Interoperability and Compatibility Testing *

Interoperability Testing shall be done to check if the software can co‐exist and interchange data with other supporting software in the system. Compatibility testing shall check if the software runs on different types of operating systems and other hardware/software/interface according to customer requirements

∙Data Layer

Data Storage Security Audit #

This is to be done to ensure the use of standard and strong cryptography while storing the sensitive data and user credentials in the application or associated data base. It is also verified that the cryptography used is compliant with the Information Technology Act and the CVC guidelines

Data Communication Security Audit#

This is to be done to ensure that secure communication channel like SSL, TLS or equivalent is used for transmission of sensitive data and credentials by the e‐ procurement system. The cryptographic algorithms and the key size implemented by the system should be standard, strong and compliant with the IT ACT and the CVC guidelines.

It is recommended that the complete data transmission to and from the e‐ procurement website should be SSL/ TLS enabled.

6.0Evaluation and Certification Process

6.1The applicant shall submit the request to Testing and auditing agency (like STQC) to get eProcurement System assessed. The application should specify whether testing is required ‘only for the e‐procurement application’, or for ‘the complete e‐

12

procurement system, viz the application along with the server in a specific hosting environment’. Application for the former case can be made by the application software developer or licensor, and will cover only Part‐1 of the two scenarios outlined below. The application for the latter case can be made by the service‐ provider, or the organization which is procuring the system for its dedicated use, and will cover both Part‐1 and 2 of the two scenarios outlined below.

6.2Inputs & access required by Certification Body

[Scenario‐A: Where ‘Customized Software Development’ of an e‐Procurement System is undertaken]

(Part‐1)

∙Inputs required for Application Testing o RFP of the e‐Procurement

o Software Requirements Specification (SRS) addressing functional and non‐functional requirements including business functions and applicable regulations, standards and policies.

o User manual (operational instructions).

o Software application related information such as – Work flows/ Navigations, Business logics/ Rules, Validation Rules, Screen shots and User categories with roles & access rights. Specifically for testing, application related information such as – Work flows/ Navigations for creating comprehensive ‘System Test Cases’ covering various tendering scenarios, User categories with roles & access rights would be required.

o Software Design Document

oSoftware Application Source Code (if the need is to assess to all desirable requirements)

The inputs should be available along with access to the application hosted in a staging environment with test data.

Note: Apart from review of the ‘developmental aspects’, detailed scenarios would be prepared for each application software to be tested. This would cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption.

(Part‐2)

∙System Architecture

∙Security Architecture for conducting VA&P

∙ISMS of eProcurement Information System (eSecurity Manual)

∙Access to e‐procurement system/ test site with sample data (preferably field data).

∙Access to hardware, software, Network & IT infrastructure to connect test

tools on to the system, where required.

Non‐disclosure Agreement (NDA) will be signed by STQC to cover the confidentiality of the information submitted by the applicant

[Scenario‐B: Where ‘Ready‐to‐Use’ e‐Procurement Software License is to provided, or e‐Procurement Services are made available through an ASP]

13

Note: The focus Testing/ Certification here is on the ‘Functionality’’, ‘Security’ and ‘Transparency’ related aspects.

(Part‐1)

oUser Manual (operational instructions), or equivalent Guidelines for users provided online on the screens of the application

oSoftware application related information such as – Work flows/ Navigations for creating comprehensive ‘System Test Cases’ covering various tendering scenarios, User categories with roles & access rights.

The inputs should be available along with access to the application hosted in a staging environment with test data

Note: Detailed scenarios would be prepared for each application software to be tested. This would tests to cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption.

(Part‐2)

∙System Architecture

∙Security Architecture for conducting VA&PT

∙Access to e‐procurement system/ test site with sample data (preferably field data).

∙Access to hardware, software, Network & IT infrastructure to connect test tools on to the system, where required.

Non‐disclosure Agreement (NDA) will be signed by STQC to cover the confidentiality of the information submitted by the applicant.

6.3Requirements of Compliance for demonstration

Testing and assessment as specified in Section 4.0 shall be carried out.

To demonstrate conformity to the ESSENTIAL Quality and eSecurity assurance requirements and minimum functionality compliance the following shall be complied:

∙Evidence of compliance to implementation of ISO 27001 Information Security Management System with applicable controls in all concerned entities. The Security processes shall be audited as per controls defined in eSecurity Manual provided by the applicant, and/ or in the applicant’s response to Annexure I, II, III, and IV.

∙The risk analysis methodology used by the service provider shall adequately address the concerns raised in this document (Annexure‐I). Mitigation methodology and techniques implemented should ensure eProcurement Information System is secure.

∙While implementing the security controls the service provider shall demonstrate that the requirements of vigilance administration (CVC) (Annexure‐II) are adequately addressed in the Information Security Management System. Also while implementing ISO 27001, the solution provider shall ensure that adequate controls have been implemented to ensure that security at design and operation level are addressed adequately

14

∙The software shall be tested for functionality, workflow and other essential requirements (like Central Vigilance Commission Guidelines, GFR, Information

Technology Act – Annexure I, II, III, and IV).

∙The application hardening shall be assessed for Top 10 vulnerabilities defined by OWASP (Reference doc – 3)

∙Network should be assessed for adequate security through penetration testing

and vulnerability assessment as per NIST 800‐115.To demonstrate that the requirements are implemented and effective, the services of agencies empanelled by CERT‐IN can be used (http://www.cert‐in.org.in).

To demonstrate compliance to the DESIRABLE requirements following shall be complied, where applicable:

∙The software source code shall be evaluated using white box test approach through code review/ inspection process for identifying malicious codes/ Trojan etc.

∙Workflow shall be in line with the requirement of CWA 15666 to standardized Business Processes and Information Entities using UML Version 1.4 and ebXML Core Components Technical Specification for Data Structure (Reference doc ‐ 4). This will attain the objective of Interoperability and Compatibility of various solutions both at buyer and supplier end

∙The solution shall be tested to Usability requirements as per Usability information defined in Template I.

6.4If results are satisfactory and meet the requirements of this document, STQC shall issue a letter indicating Conformity with specified requirements.

15

Scope of Certification

eProcurement life cycle consist of following activities:

∙Purchase to pay

oContract management

oContent management

oSelection/requisition

oWorkflow‐approval

oorder

oreceive

oinvoice

opayment

∙eSourcing

omanagement information

ocollaboration

ospecification/notice

oexpression of interest

oinvitation to tender

oevaluate

onegotiate/reverse auction

oaward

Generally, these activities are covered in different modules e.g.

Supplier Registration

E‐tedenring

eAuction

ePayment

Accounting

Reverse Auction

eCatalogue Management

MIS

Contract Management

The applicant can define any module as a part of scope of certification while the eTendering module is the essential requirement to obtain the certification. Depending on the complexity of the module and the scope identified by the applicant the Certification Body/Test Agency will charge for testing and certification.

Note: For any major change in application (e.g. encryption method, tender opening event,process re‐engineering). The application requires to be completely re‐tested. It is further emphasized the service provider should not have source code and escrowing requirement mentioned earlier should be strictly adhered to.

17

−‘Substitution’ bid

Or ‘Withdrawal’ bid for all his bid‐submissions.

The e‐tendering system must effectively cater to all these possibilities without compromising security and transparency in any manner at any stage, for any bid part (such as Pre‐qualification, Technical, and Financial).

The e‐tendering system need to have templates to offer flexibility in bidding methodologies as prevailing and followed currently in the manual process. Further, system should have templates to adopt bidding methodologies as may be prescribed by respective authorities.

2.0Concerns relating to Implementation of e‐procurement systems using PKI based Bid‐ Encryption

∙Public Key algorithms are slow.

∙Copy of the decryption‐key (ie private key of the encryption‐certificate issued by a CA) is generally available (ie backed up) with the CA. Duplicate can generally be requested in case of loss, however, this can also be misused.

Guidance and recommended practices‐ Use of PKI technique

If the e‐procurement system uses PKI for bid‐encryption, it has to satisfactorily address the above issues and consequent concerns (Ref 2.2 below) through suitable functionality built into the e‐procurement application. Where, in addition, some issues are being further addressed through organizational procedures under ISO 27001, these should be explicitly defined with satisfactory explanations, otherwise certification process will become subjective. While doing this, the following can be kept in view:

19

Various techniques are available in market for improving implementation of PKI based encryption such as escrowing, splitting and repeated encryption to further strengthening the security of information and implementation.

(iii) Audit Trails (both application level, and Operating system level) are essentially reports. To that extent it is possible to fudge these. Also, other than application‐ level audit trail reports, the other audit trail reports can be quite complex and impractical to analyze for ongoing operations of this nature. In spite of this, audit trail‐reports are useful and should be there as supporting evidence. However, in a sensitive application of this nature, audit trails cannot be depended upon as the sole protection against any mala‐fide act.

substantiate the claimed identity of a user.

A.11.5.3

Systems for managing passwords shall be interactive and shall ensure quality passwords.

A.11.5.4

The use of utility programs that might be capable of overriding

system and application controls shall be restricted and tightly

controlled.

A.11.5.5

Inactive sessions shall shut down after a defined period of inactivity.

A.11.5.6

Restrictions on connection times shall be used to provide additional security for high‐risk applications.

A10.10

A.10.10.1

Audit logs recording user activities, exceptions, and information

security events shall be produced and kept for an agreed period to

assist in future investigations and access control monitoring.

A.10.10.2

Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.

A.10.10.3

Logging facilities and log information shall be protected against tampering and unauthorized access.

A.10.10.4

System administrator and system operator activities shall be logged.

A.10.10.5

Faults shall be logged, analyzed, and appropriate action taken.

21

A.10.10.6

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized with an agreed accurate time source

Guidance and recommended practices‐ Spyware/Trojan/BOTS

It is important that even if a clandestine copy is made and stolen as above, the bid‐ encryption methodology should be such that it should not be possible to decrypt the bids in connivance with any officer of the Buyer organization or the Service Provider organization. While this issue becomes irrelevant if bid encryption is done at bidder‐ end with bidder created symmetric pass‐phrase, in case PKI‐based bid encryption is done, the software functionality has to be suitably augmented to mitigate this security threat. This threat has also been explicitly mentioned in CVC guidelines (refer security check‐point No. 14 of Annexure‐II)

a)The controls should be placed to guard against the possibility of injecting spyware for making clandestine copies of a submitted bid and then sending this clandestine copy to a secret destination.

The spyware are the malicious software codes which can be injected in to the system remotely. To protect the system from injection of spyware, the system needs to be secured. The system need to be secured and protected in the following manner;

∙Hardening of hardware and software of the entire Information Technology infrastructure (which include computer system, software, router etc.)

∙Installation of anti spyware, anti spam and antivirus software.

∙Installation of software tools to protect the operating system from injection of spyware. These software need to be upgraded on a continuous basis.

The entire infrastructure needs to be secured at the perimeter level by installing Firewalls and intrusion Prevention System.

After installation of software and protecting by devices as the entire IT infrastructure needs to be audited by the Information Technology Auditors. Indian Computer Emergency Response Team (CERT‐IN), Department of Information Technology has empanelled auditors for auditing systems from the point of view of cyber security. It is always recommended that system should be audited at least once in a year and as and when the infrastructure (i.e hardware and software) is augmented by additions of new hardware and software.

Further people operating these systems need to be trained in monitoring and detecting any intrusion in the system and network.

b)The kernel of the operating system in the IT infrastructure should be secured first by hardening the operating system and installation of software which protects it from inject of spyware or any kind of intrusion.

c)The e‐procurement system should have audit trail facilities. These audit trails are complex but dependable. The audit trails reports provide useful information about the instructions which take place in the system both at operating system and

22

unencrypted form.

Guidance and recommended practices

Note: While some guidance is provided below, it is the responsibility of the individual vendors to design and develop their applications in a manner that addresses the outlined concerns. They should first convincingly demonstrate the full methodology to DIT, and then DIT will transparently put this methodology on its website, so that bidders who use such e‐procurement systems in future are fully assured against breach of confidentiality of their bid‐data.

2.6A system in which Public Key of a bidder’s representative is used for bid‐encryption at bidder’s office, and where decryption will be done by the bidder’s representative himself using his private key during the Online Public TOE.

Concerns:

a)Concerns outlined in 2.4 and 2.5 outlined above are applicable here also, and should be suitably addressed.

b)How would the bids be opened if the bidder’s representative with whose key bids have been encrypted is not available during the Online Public TOE ? The non‐availability could be due to leave, termination or any other reason.

c)Copy of the decryption‐key (ie private key of the encryption‐certificate issued by a CA) is generally available (ie backed up) with the CA. Duplicate can generally be requested in case of loss, however, this can also be misused.

Note: Private key cannot be transmitted by the bidder over the internet. Furthermore, during the Online Public TOE, bids cannot be allowed to be downloaded from the server to the bidder’s computer. This would tantamount to the bids being taken away from the tender‐box back to the bidder’s office for opening. This cannot be allowed. Therefore the bidder will have to be physically present during the Public TOE, and such a system will never be able to have a proper Online Public TOE. This would immediately remove one of the biggest benefits of e‐procurement. Assuming that all other concerns are satisfactorily addressed, this would at best be a PARTIAL e‐ procurement system.

3. Concerns relating to situations where bids before being transmitted from the bidder’s

25

computer are protected with only SSL Encryption and Database level Encryption is done before the bid is stored in the Database Server

Guidance and recommended practices

Secure submission of bid from bidder’s computer to the server should be done after the bid file/ data is encrypted (with symmetric or asymmetric encryption) at the bidder’s computer and further submitted to the e‐procurement server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and should be decrypted at the Tender Opening Event (TOE).

The above issues exist irrespective of whether only select data is encrypted, or the entire database is encrypted.

If a clandestine copy of a bid is made as described above in the interim period which would be before the ‘tender opening event (TOE)’, and if the administrator connives, the confidentiality of the bid is compromised.

1b. The above concern with the difference that the copy of the bid is made with the connivance of the Database Administrator (DBA) and decryption done in connivance with the person holding the decryption key.

Guidance and recommended practices

Secure submission of bid from bidder’s computer to the server should be done after the bid file is encrypted (with symmetric or asymmetric encryption) at the bidder’s computer and further submitted to the e‐procurement server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and should be decrypted at the Tender Opening Event (TOE).

The two‐way process as suggested may be followed strictly. This will address the concerns raised. The information on reaching the server where e‐procurement software is deployed through SSL mode will remain encrypted even after the SSL encryption is removed. Information will lie encrypted in the system hosting e‐ procurement software. Data Base Administrator (DBA) will not be able to decrypt the information as he will not be having the decryption keys. It may be mentioned here that at no point of time the System Administrator or Data Base Administrator should be authorized to hold the private (decryption) key. The organization shall have a procedure which can include three different approaches to address three different scenarios.

4. Concern about Symmetric key based Bid‐Encryption done at the Bidder’s computer

27

28

fledged virtual office to the officers, but to provide adequate facilities within the application for multiple officers of multiple departments to carry out their respective tendering related activities with proper security and full accountability. Roles relating to various tendering activities within each department, and which could vary from tender to tender, would inter alia include – deciding methodology and rules pertaining to a particular tender, creation of tender notice, approval/ rejection of tender notice, creation of corrigendum, approval of corrigendum, creation tender document forms, approval of tender document forms, overall approval/ rejection of tender documents, providing responses to clarification of tender documents, uploading minutes of pre‐bid meeting, one or more officers conducting public online tender opening event (TOE), approving minutes of the public online TOE, short‐listing responsive bidders for the next stage (where applicable), managing roles of various personnel, and assigning alternative personnel in case the original assignees are absent, etc.

b)The offered e‐tendering system has facility, such that roles with conflict of interest can be offered to different persons within the organization, so that conflict of interest is avoided.

c)There should be one authorized person as an overall coordinator and representative of that organization in the e‐tendering system, with powers to delegate different roles to different users from time to time, and all such role‐changes must be audit‐ trailed in the application. The credentials of this overall coordinator must be verified.

d)There should be provision for having separate authorized user (at the corporate level of each Buyer organization, i.e. external to its tendering departments) who can access the application‐level audit‐trail (ie audit‐log) reports. Other users of the organization should not have access to these reports.

e)Under no circumstances will it be required for any officer to hand over his/ her

29

private‐key (used for digital‐signing, or bid‐ decryption if applicable in the offered system) to anyone else – within the organization, or to anyone in the service provider’s organization, or to anybody else.

f)There could be occasions when an authorized officer of a Purchase/Buyer organization is on leave, gets transferred, resigns or his/ her services are terminated. One example where such an eventuality may arise is if the public key of the tender opening officer is used for bid encryption, and his private key required for bid decryption during the online tender opening event. There should no limitation in the e‐tendering system which may necessitate that the private key of such an officer be handed over to anybody else for the scheduled tendering processes to continue uninterrupted.

Note: The above is necessary for compliance with s‐42(1) of the IT Act 2000.

Guidance and recommended practices

The e‐procurement system should have the features to address above. Under the IT Act, 2000 any holder of a Digital Signature, who’s Digital Signature Certificate has been issued by a licensed CA, is responsible for protecting the corresponding private key. Unless the certificate validity has expired or the certificate has been revoked by the issuing CA, any digital signature will be legally valid and will be attributed to the person listed in the Digital Signature Certificate. Similar mechanism measures should be evolved for encryption key pair as well.

Handing over of private (decryption) key by one officer to another officer both in case of digital signature as well as in case of encryption should not be allowed

In case of digital signature, private key should be one of the two factor authentication method which must be implemented. The other could be Personal Identification Number (PIN) or biometric etc., so that nobody else can use the private key for signing the document.

distributed, these become an authentic record.

(Electronic System)

a)At a higher level, there should be clearance (which is audit‐trailed within the application and digitally signed) before an Addendum is issued.

b)For authenticity and for assurance that it has not been tampered, the electronic Addendum (which is an electronic record), should have an audit‐trail within the application of its approval/ posting. Also, the Addendum should be digitally signed by an authorized officer of the Purchase/ Buyer organization.

Concern (Manual System)

Clarification of Tender Documents. In response to a bidder’s query, an authorized officer of the Purchase/ Buyer organization responds to the querist with a copy to all other prospective bidders who have purchased tender documents (without revealing the identity of the querist). The response is signed by the concerned officer for authenticity.

(Electronic System)

The e‐tendering system should also have such a facility with all the functionality as described in the previous column. For authenticity and for assurance that it has not been tampered, the response from the authorized officer of the Purchase/ Buyer organization should be digitally signed by him.

Concern (Manual System)

Pre‐Bid meeting. The minutes of the Pre‐bid meeting are signed for authenticity by an authorized officer of the Purchaser/ Buyer organization and made available to the prospective bidders.

(Electronic System)

The e‐tendering system should also have such a facility with all the functionality as described in the previous column. For authenticity and for assurance that it has not been tampered, the Minutes should be digitally signed by an authorized officer of the Purchaser/ Buyer

33

∙It should not be possible to open the ‘e‐ tender boxes’ till the specified time has occurred or elapsed, and till all the authorized Tender‐Opening Officers have formally instructed the system to do so with PKI‐based Digital Signatures

∙Till the Public Tender Opening Event, security related features should be such that the contents of the bids which are being stored cannot be ‘accessed and decrypted’ by even the authorized officers of the Purchaser/ Buyer or the Administrators of the Service Provider (even if they wish to do so with mala‐fide intentions).

locations electronically with full security procedures. Tender‐Opening Event should be simultaneously viewable by all attendees from their respective locations

The e‐tendering system should support all the salient aspects,viz a, b, c, d, e, f, g, h, i as listed in the previous column without sacrificing any aspect of security and transparency including those listed elsewhere in this matrix/ questionnaire. As soon as a bid is opened, participating bidders should be able to simultaneously download the salient points (ie the summary information) of the opened bid.

For (j) keeping in view the nature of the internet, such bids may be archived unopened.

Note: In addition, in cases where some bidders have bid offline (ie manually), and this has been allowed, then the following should be ensured:

-That the offline bids are opened first and their salient points entered into the system before the online bids are opened. This is all done in the presence of the online bidders who are simultaneously witnessing this exercise.

The compiled/ integrated data of the both the online and offline bidders should be made available in the form of an online comparison chart to all the participants.

Guidance and recommended practices

The GFR requires that tenders be opened in public in the presence of the authorized representatives of the bidders. The Finance Ministry Manual on procurement procedures outlines in details the requirements of a transparently conducted Public Tender Opening Event. CVC Guidelines on security aspects of e‐procurement also stae the requirement of ‘Online Public Tender Opening Event’. Merely opening bids ‘online’, and then separately making them available for display to the bidders subsequently, and/ or from a different location/ screen (ie user interface) without the simultaneous online presence of bidders, does not fulfill the requirements of a proper and transparent online Public TOE. A comprehensive and transparent Public Tender Opening Event is the ‘backbone of transparency and fairness’ of the Public Procurement process, manual or electronic. This has an impact on technical as well as procedural aspects.

It must be ensured that e‐tendering/ e‐procurement has comprehensive functionality for a transparent Public Online Tender Opening Event (Public OTOE). Well established practices of manual tender opening (with legal and transparency related significance) should have corresponding electronic equivalents for transparent e‐tendering/ e‐procurement. Some relevant processes of a fair and transparent online public TOE should include:

37

Guidance and recommended practices

If the e‐procurement system has “Forgot Passwords feature”, it should address these concerns.

7.4There should be facility for Comprehensive

iv)The authorized administrator of the e‐ procurement/ e‐tendering application should also have access to audit trail reports of other administrators within the application.

v)The application should not provide any facility to modify or delete audit logs, or suspend logging operations

Guidance and recommended practices

The e‐procurement system and software should have the facility and functionality. There should be facility for Reports relating to Tendering‐Activities, and corresponding MIS Reports which are accessible to the relevant authorized users of that organization.

The e‐Tendering application must be designed, developed and deployed using reputed and secure platforms such as ‐‐ .DotNet, J2EE etc, that minimize defects like bugs and vulnerabilities. It is important to ensure that during deployment; only compiled codes of the e‐tendering application software are used, with further protection to prevent run‐time modifications in the code. Please clarify how this is achieved.

Concern

It should not be possible to compromise the security of the e‐tendering application, even with knowledge of its architecture, design and encryption algorithm used.

Guidance and recommended practices

The application shall be architectured, designed and developed (ie the required functionality should be inbuilt in the application) to address above concerns. The best practices and processes to develop secure software shall be followed.

8.Concerns relating to Bidders making false assertions based on non‐existing functionality in their e‐tendering software (Important Eligibility/ Qualifying Criteria)

Guidance and recommended practices

The solution should be assessed in respect of various security and transparency related concerns outline in these Guidelines, and its scope of Capability should be in public domain, ie the functionality claimed should have references. This will discourage monopolizing a particular vendor and solution and will encourage new entrants from offering such systems thereby affecting the competitiveness of procurement of systems. To encourage new entrants, while there should be no compromise on security, transparency and crucial functionality related concerns highlighted herein, the eligibility criteria in respect of ‘number of tenders’, ‘revenue criteria from e‐procurement’, etc should be minimum.

42

eProcurement system and a finance system and externally example between a buyers eProcurement system and suppliers eCommerce System.

The preferred method of data flow today is eXtensible Mark‐Up Language (XML). XML is accepted a core standard for data exchange between the Government and Business.

Project Risks

Annexure‐II ‐ Checklist for eSecurity Compliance (including CVC Guidelines)

50

51

Annexure‐III – Checklist for Compliance to GOI procurement procedures

GFR 2005, Government of India, Ministry of Finance, Department of Expenditure

The contents of GFR 2005 are as follows:

Chapter‐6, Procurement of Good & Services is applicable for e‐Procurement System (EPS).

The list of GFR requirements given below provides general guidelines about the applicability of the requirements in the EPS and the verification mechanism. The assumption has been made that in an ideal situation, all the GFR requirements will be applicable to the EPS. However, in actual situation, depending on the client’s (buyer organization) requirements, all the GFR requirements may not be applicable and hence not addressed by the EPS. Therefore, it is recommended that the EPS solution/ service provider uses this list as a guideline and prepares similar list for the EPS being developed as per the applicability of the GFR requirements.

The compliance to applicable GFR requirements may be verified as follows:

∙In case of manual procurement system, compliance verification may be done through process audit of the policy & procedures of the client’s (buyer organization). It is up to the client to perform the process audit to ensure compliance.

∙In case of e‐procurement system, compliance verification shall be done through testing and audit of the functionalities in the EPS solution. It is recommended; that internal verification may be done by the EPS solution provider and also be externally verified by Third Party Agency for client’s acceptance.

52

(iii)The procuring authority should be satisfied compromised before the that the selected offer adequately meets the Online Public Tender

(iv)The procuring authority should satisfy itself Importantly, a properly that the price of the selected offer is reasonable conducted Public Tender

(v)At each stage of procurement the concerned backbone of transparency procuring authority must place on record, in in public procurement. precise terms, the considerations which weighed The e‐procurement

(iv)Where the Ministry or Department feels that In addition, the the goods of the required quality, specifications concerned Buyer

etc., may not be available in the country and it is organization should have necessary to also look for suitable competitive Procurement Policy & offers from abroad, the Ministry or Department Procedures to implement may send copies of the tender notice to the the other requirements Indian embassies abroad as well as to the foreign

embassies in India. The selection of the embassies will depend on the possibility of availability of the required goods in such countries.

(v)Ordinarily, the minimum time to be allowed

for submission of bids should be three weeks from the date of publication of the tender notice or availability of the bidding document for sale, whichever is later. Where the department also contemplates obtaining bids from abroad, the minimum period should be kept as four weeks for

58

(b)There are sufficient reasons, to be recorded in organization should have writing by the competent authority, indicating Procurement Policy & that it will not be in public interest to procure the Procedures to implement

(iii)For standardisation of machinery or spare organization should have parts to be compatible to the existing sets of Procurement Policy & equipment (on the advice of a competent Procedures to implement technical expert and approved by the competent the other requirements authority), the required item is to be purchased

only from a selected firm.

Note: Proprietary Article Certificate in the following form is to be provided by the Ministry / Department before procuring the goods from a single source under the provision of sub Rule 154

(i)and 154 (iii) as applicable.

(i)The indented goods are manufactured by

M/s……..………………..

(ii)No other make or model is acceptable for the following reasons: ……………………….

(iii)Concurrence of finance wing to the proposal vide: ………………..

(iv)Approval of the competent authority vide:

………………………

________________________

(Signature with date and designation

Ministries or Departments of the Central Government may relax, in consultation with their Financial Advisers concerned, the ceilings (including percentage laid down for advance payment for private firms) mentioned above. While making any advance payment as above, adequate safeguards in the form of bank guarantee etc. should be obtained from the firm.

(2)Part payment to suppliers: Depending on the terms of delivery incorporated in a contract, part payment to the supplier may be released after it dispatches the goods from its premises in terms of the contract.

(i)The text of the bidding document should be addressing the various self‐contained and comprehensive without any issues especially outlined ambiguities. All essential information, which a in Annexure‐I of these bidder needs for sending responsive bid, should Guidelines. Specifically for be clearly spelt out in the bidding document in fairness it must be simple language. The bidding document should ensured that the e‐

(a)The criteria for eligibility and qualifications supports all legitimate to be met by the bidders such as minimum processes and

level of experience, past performance, methodologies for technical capability, manufacturing facilities inviting bids in a

(b)Eligibility criteria for goods indicating any under no circumstances legal restrictions or conditions about the origin should the confidentiality of goods etc. which may be required to be met of the bid be

(ii)Suitable provision should be kept in the backbone of transparency bidding document to enable a bidder to question in public procurement. the bidding conditions, bidding process and/ or The e‐procurement

63

(vi)The bids should be opened in public and arbitrariness each opened authorised representatives of the bidders should bid should be

(vii)The specifications of the required goods TOE‐officers in the should be clearly stated without any ambiguity so simultaneous online that the prospective bidders can send meaningful presence of the bids. In order to attract sufficient number of authorized bidders. bidders, the specification should be broad based

to the extent feasible. Efforts should also be In addition, authorized made to use standard specifications which are representatives of

(viii)Pre‐bid conference: In case of turn‐key present offline during a contract(s) or contract(s) of special nature for TOE. However, to procurement of sophisticated and costly eliminate any equipment, a suitable provision is to be kept in arbitrariness and any the bidding documents for a pre‐bid conference doubt about tampering, for clarifying issues and clearing doubts, if any, the simultaneous online about the specifications and other allied technical presence of bidders details of the plant, equipment and machinery during TOE is important. projected in the bidding document. The date, Bidders may have doubts time and place of pre‐bid conference should be about the transparency of indicated in the bidding document. This date the process if the bids are should be sufficiently ahead of bid opening date. opened by the Buyer

(ix)Criteria for determining responsiveness of independently in the bids, criteria as well as factors to be taken into backend (ie without the account for evaluating the bids on a common simultaneous online platform and the criteria for awarding the presence of bidders), and

(xi)Bidders should not be permitted to alter or waiting. This is obviously modify their bids after expiry of the deadline for not a transparent public

(xii)Negotiation with bidders after bid opening acceptable. must be severely discouraged. However, in

64

71

Annexure‐IV ‐ Checklist for Compliance with IT ACT (IT ACT 2000 and Amendment 2008)

ii)The private key or the signature creation data should not be stored in the e‐Procurement System or kept under the control of the e‐ Procurement Service Provider.

iii)By the use of a public key of the subscriber/ signer, it should be possible to verify the electronic record. This may be read in conjunction with Sch‐2, 13 85B(2)(b) “except in the case of a secure electronic record or a secure digital signature, nothing in this section shall create any presumption relating to authenticity and integrity of the electronic record or any digital signature”.

(Explanation: This implies that important electronic records of an e‐procurement application, like – Tender Notice, Corrigenda, Tender Documents, Addenda, Clarifications to Tender Documents, Bids, etc should not only be electronically signed, there should also be provision in the e‐procurement application to verify the electronic signatures).

iv)Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure (Explanation: There should be no limitation in the functionality of the e‐procurement system which may necessitate for the tendering processes to continue uninterrupted that the private key of any officer be handed over to anybody else (who may be absent or unavailable), or where a private key is shared by multiple users due to any reason such as – absence of detailed hierarchy within a user organization, or multiple users of a group using a common key.

v)Similarly, functionality of the e‐procurement system should cover other aspects outlined in various sections (specified in the adjacent

72

invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c)harm minors in any way;

(d)infringes any patent, trademark, copyright or other proprietary rights;

(e)violates any law for the time being in force;

(f)discloses sensitive personal information of other person or to which the user does not have any right to;

(g)causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(h)impersonate another person;

(i)contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(j)threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

iii)The Service Provider shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in (ii) above.

iv)The Service Provider shall inform its users that in case of non‐compliance with terms of use of the services and privacy policy provided by the Service Provider, it has the right to immediately terminate the access rights of the users to the e‐Procurement System.

v)The Service Provider shall publish on the e‐ Procurement website about the designated agent to receive notification of claimed infringements.

74

Reference Documents

75

Reference Document – 1

eTendering Processes

e‐tendering portal

∙an e‐tendering portal, or an e‐tendering website, refers to an internet‐based portal on which an e‐tendering application software is hosted in a secure manner. One or more Government organizations register on the portal (as Buyer organizations). Various vendors also register on the portal (as Supplier organizations). A Buyer organization floats (i.e. invites) a tender on the portal, and Supplier organizations respond to such tenders. Depending on the functionality offered by an e‐tendering portal, all the tendering related activities, from ‘Indent Management (or Requisition Management)’ to ‘Award of Contract’ can be carried out ‘Online’ over the Internet by a Buyer organization, and related activities by Supplier organizations.

Non‐negotiable founding principles of Public Procurement like transparency, encouraging competitiveness and fair treatment to all etc.

∙Switchover from manual system of tendering to electronic tendering or e‐tendering is major change. Some ‘process re‐engineering’ (i.e. change or improvement in the methodology of conducting various activities) becomes inevitable when changeover is made to a new technology, or a new method of working is adopted. However, while switching over to e‐tendering, no compromise should be made by the Government organization on `Security and Transparency’ related aspects of the Government Tendering Policy and Rules on the pretext of re‐engineering.

∙While switching over to e‐tendering, a Government organization (in the role of a Buyer) which urges its Suppliers/Vendors to changeover to e‐tendering, should ensure that the e‐tendering portal also takes care of the Supplier organizations needs for security and transparency, and that suppliers are given reasonable time to change‐over in a phased manner.

core activities related to tendering

∙From a Buyer’s perspective, `core activities related to tendering’ refers to activities like‐ raising indents (or requisitions) for procuring some item or service, approving such requisitions, configuring the e‐tendering system to act as per that organisation’s tendering policy, creating a hierarchy of officers with specific authorizations to manage and control activities related to e‐tendering for various tenders, configuring the e‐ tendering system to act as per specific rules for a given tender, creating a list of bidders to be invited for a `limited tender’, creating a tender notice, approving a tender notice, authorizing issue of corrigenda , creating corrigenda, approving tender documents, authorizing issue of addenda, approving addenda, furnishing clarifications to tender documents, conducing online public tender opening event(s) and sharing salient points of each bid with all participating bidders, counter‐signing each opened bid during tender opening event, evaluating the bids which have been opened, creating a list of bidders for the next stage (where applicable). From a Supplier’s (or Vendor’s perspective), `core tendering activities’ or `core activities related to tendering’ refers to activities relating to responding to various tenders. These include‐creating a hierarchy of executives with specific authorizations to manage and control activities related to e‐tendering for various tenders, procuring tender documents for a tender, seeking clarifications to tender documents, preparing a bid in multiple parts(as required by the Buyer) and required), attending online public tender opening event(s).

76

Operating Models for e‐Tendering

A variety of `Operating Models’ have emerged through which e‐tendering services are currently being offered. Some prominent models are ‐ `Dedicated e‐Tendering Portals’ (also referred to as Captive e‐Tendering Portals), `Shared e‐Tendering Portals’ [ where services are offered in ASP (Application Service Provider) mode/SaaS (Software as a Service) mode, and different types of `Outsourcing Models’. Also, it is important to differentiate between the concepts of the portal. In view of the emphasis on Security and Transparency in Public‐Procurement, the acceptability of these models varies. Guidelines are as follows:

A)(Dedicated e‐Tendering Portals)‐ where the Government organization wishing to do e‐tendering, owns and controls the portal infrastructure, and also controls all the core tendering activities carried out on the portal.

∙A Government organization wishing to set up a dedicated e‐tendering portal for its tendering requirements should float an `Open Tender’ for selecting a suitable vendor. It should not resort to by‐passing of the tendering process on the grounds, that as a Buyer organization it has been offered the service free of charge or at nominal charge, and only Suppliers or Vendors have to pay to the Service Provider or the Supplier of the e‐tendering software, as the case may be. In situations like this, as in the case of infrastructure projects, the total revenue which accrues to the Service provider of the e‐tendering portal should be considered, viz revenue from the Buyer organization(s), revenue from registration of Supplier organizations which will register on the portal at the behest of that Buyer organization, and any other sources of revenue.

B)(Use of a Shared e‐Tendering Portal)‐ where the Government organization

wishing to do e‐tendering controls all the core tendering activities of its organization carried out on the portal, but where ownership and control of the portal infrastructure is with the Service Provider.

∙A Government organization wishing to use an existing e‐tendering portal on shared basis for its tendering requirements may float a tender for the purpose of selecting a suitable Service Provider. In such situations, the nomination route may be used if both the following conditions are satisfied.

i)The total annual revenue which accrues to the Service Provider from that Government organization and its Suppliers who register specifically at the behest of that Government organization is less than Rs. Five/ten lakhs a year. (Note: Limit to be defined by the appropriate Govt body keeping in view Finance Ministry’s current limit of Rs. Ten lakhs for consultancy service through the nomination route). For this purpose, revenue should include registration and portal usage charges of the Buyer organization, registration charges of supplier organizations which register at the behest of that buyer organization, and portal‐usage charges of the aforesaid supplier organizations specifically in respect of responding to tenders of that Buyer organization.

ii)The arrangement of that Government organization with the Service Provider is on a `non‐exclusive’ basis.

77

C)(Outsourcing Model‐1): The Government organization outsources its tendering activities to a Service Provider. The control of all or most of the core tendering activities is in the hands of the Service Provider. The Service Provider also owns and controls the portal infrastructure.

(Outsourcing Model 2): The government organization procures and owns partially or fully the portal infrastructure, but does not manage it. Furthermore, the Government organization outsources the management and control of its tendering activities to a Service Provider.

It is important to note that `Outsourcing’ as outlines above is substantively distinct from `Use of a Shared e‐Tendering Portal’ as outlined in (ii) B above. In case of the `Shared e‐Tendering Portal, the Government organization wishing to so e‐tendering controls all the core tendering activities of its organization carried out on the portal.

In case of `outsourcing’ since `complete control is in the hands of a third party Service Provider’, number of `legal’ and `security’ related issues arise. Some of these issues are:

i)`Tendering’ is a sensitive activity, where integrity and transparency of the procurement process is on paramount importance. Can such a sensitive activity be outsourced to a third party Service Provider (who in turn may be a public sector entity, or a private entity) where `complete control is in the hands of the third party Service Provider’?

ii)In case of a Government organization, the officers authorized for `tendering’ are legally accountable under the official Secrets Act’. Certain Standards of propriety, integrity and confidentiality are expected of Government officers and Government departments. How will this be ensured from personnel of a third party private Service Provider, who would gain complete control of the tendering activities under the outsourcing‐contract?

iii)Guidelines pertaining Access to the e‐Tendering Portal:

Access shall be provided to the general public for viewing `tendering opportunities’ (i.e. Tender Notices) posted on the e‐tendering portal for all `Open Tenders’, as well as `Limited Tenders’ (the exception in case of Limited Tenders is where due to reasons of national security it is expedient not to do so). Access shall imply‐viewing a Tender Notice, searching a Tender Notice with its reference number, or name of the Buyer organization.

Access shall be provided to the general public for accessing any other `Public Information’ sections of the e‐tendering portal, such as – Information pertaining to forthcoming Tendering Opportunities, Information pertaining to `Award of Contracts i.e. Purchase Orders’.

iv)Guidelines pertaining use of Digital Signatures, IT Act 2000 and Phased Approach:

Any e‐tendering portal to be used by a Government organization must allow the users of the portal to use any one Digital Certificate (Digital Signature) issued by any Certifying Authority licensed by the CCA subject to other conditions of the Digital Certificate issuing authority.

78

The Digital Signature (i.e. Private Key) cannot be handed over by the owner of that key to any other person. (It has been observed that in some e‐tendering portals, the private digital keys of the authorized officers are handed over to the staff of the service provider, or the keys are freely exchanged amongst the users. This practice should be stopped forthwith).

No technology should be forced on the users suddenly. A phased approach must be adopted. Specifically in case of e‐tendering, unless a large number of users are comfortable with use of Digital Signatures, there is no point forcing them to deal with more sophisticated features like online bid‐submission involving encryption of bids etc. (It has been observed that in some e‐tendering portals that the staff of the Service Provider have been encrypting bids on behalf of the bidders and conducting the Tender Opening Events on behalf of the authorized Government officers.

All Digital Signature Certificates should be PKI based and issued by a Certifying Authority duly licensed by the CCA.

Compliance with IT Act 2000: Vendors of e‐tendering portals, or‐ tendering software, should be specifically instructed to keep in view s‐ 42 (1), and s‐85B2(b) of the IT Act 2000 while giving a `confirmation of compliance with the IT Act 2000’.

To avoid compromise of security (i.e. compromise of private key in this context), users of an e‐tendering portal should not obtain `pre‐ prepared’ digital certificates’ through the service provider or any other source. The digital certificate should be generated by the concerned user (i.e. the applicant of the digital certificate) himself, preferably on his own computer, and securely stored under a password

79

80

Reference document – 4

Business requirements specification‐ cross industry e‐Tendering process (Source CWA

15666)

To attain the objective of interoperability and compatibility of various solutions, both at buyer and supplier end it is required that processes and information entities shall be standardized across industrial electronic tendering. Following are the business requirements for the same.

Business Process Elaboration

∙E‐Tendering

∙Registration

∙Public Invitation

∙Tender/Opening of Tenders

∙Publication of Award

Business Information Flow Definition

∙Submit Registration Application

∙Issue Examination Result Notification

∙Publish prior information notice

∙Publish invitation to tender

∙Submit pre‐qualification application

∙Issue letter of invitation to tender

∙Request Tender Information

∙Issue tender information

∙Issue tender guaranty

∙Submit the response of tender guaranty

∙Submit tender

∙Submit qualification and application

∙Issue qualification result notice

∙Issue tender result notice

Following are the process details:

83

Templates & Forms

84

Template 1 : Defining Usability Requirement Specifications of the Software

Product

USABILITY REQUIREMENTS SPECIFICATIONS OF < > SOFTWARE PRODUCT

Note: This is an illustration only. Applicant shall specify the parameters like files size(MB), time(second and bandwidth for each item). Only applicable clauses of this template should be used.

1.NAME AND PURPOSE OF THE PRODUCT :

< > is a web based eGovernance solution designed and developed for complete automation of the tendering/ procurement of materials, components, contracts, works and services.

This specification defines the Usability requirements for < >software application

2.CONTEXT OF USE

< >has the capability to support the complete tendering process which includes placing of on‐line technical bids, commercial bids, facility for e‐payment and secure opening of vendor bids with provision for interface to e‐payment gateways and incorporating PKI enabled digital signatures.

Fine details of tendering like creation of vendor database, tender announcement and corrigendum; tender offer processing, opening, negotiation, dynamic pricing mechanism, automatic generation of comparative statement of bids received tender awarding and management of tender contract operation and re‐tendering are supported in a real time interactive environment. This system enables both procurers and vendors to interact with each other and transact business.

a. Specification of users:

Based on the analysis of the product, the main classes of users are

∙Department users (ie Buyers or Purchasers)

∙Portal/ e‐Procurement Application Administrators (for Dedicated Portal of a Buyer)

∙Registered suppliers/ contractors/vendors

∙Portal/ e‐Procurement Application Administrators (for Service Providers)

Registered suppliers/ contractors/vendors

i.Skills & knowledge –

∙Should be computer literate and in the habit of surfing the net

∙Should have Knowledge about tendering process

ii.Training on the usage of software mandatory

iii.Product Experience – Nil

iv.Organizational experience – Nil

v.Physical attributes – Normal

Department Users (ie Buyers or Purchasers)

i.Skills & knowledge –

∙Should be computer literate and in the habit of surfing the net

∙Should have Knowledge about tendering process

ii.Training on the usage of software mandatory

iii.Product Experience – Nil

85

iv.Organizational experience – Required

v.Physical attributes ‐ Normal

86

b. Broad Specification of tasks

The major work flows analysed in terms of severity, criticality and frequency of use for the respective users are as given below :

Department Users

1.Vendor Registration specific to a particular Buyer/ Department‐ Any person who wants to bid for any tender of that Buyer/ Department, has first to register with the department (after having registered on the portal) . Where required, Department Administrator can create vendors

a.They receive filled in application with credentials of the vendors , and then register them for a particular classification and grade

2.The Tendering Creation : Creation ,Uploading of tender and Authorizing the tender

3.Tender Opening ‐ Tender Opening in the simultaneous online presence of authorized bidder representatives with additional optional offline presence, EMD Authorisation , countersigning of each opened bid in the simultaneous online presence of authorized bidder representatives, Downloading of submitted vendor documents , Disqualification of a vendor (i.e. archiving a bid unopened) and Comparative statement generation

Sub activities: verification of documents and EMD/Bank

Guarantee

Suppliers/ contractors/vendors

a.Self Registration on the e‐procurement by the first user of an organization, and submission his Public Key

Sub activities:

i.Where required, registration by an authorized user for particular Department/ Buyer for a particular classification of trade, region and vendor class for a particular duration

ii.Attachment of supporting documents required for the registration

b.PKI based login and Request/ Procurement of tender documents

c.Pre‐qualification based on projects/tenders

d.Download tender documents/ addenda

e.Upload filled tender documents (ie bids, in envelopes and stages as instructed in the tender documents)

Sub activities:

i.Attachment of supporting documents required for the tender

ii.Submission c. Specification of environment

As this application is generally used in an office environment , testing can be done in an office ambience .

So the Usability Lab at < > can be used for carrying out the user tests .

3.SPECIFICATION OF MEASURES OF USABILITY FOR PARTICULAR CONTEXTS Department Users

1.Vendor Registration

a.Effectiveness (Accuracy & Completeness): All Vendor Registrations have been completed successfully .

87

b.Efficiency: Registration to be completed by the user within <10 minutes>.

c.Satisfaction: Less than 10% of users report dissatisfaction with the vendor registration procedures.

2.Generation of a tender‐ Creation

a.Effectiveness (Accuracy & Completeness); All Tenders have been

completed correctly and successfully .

b. Efficiency: Tender Creation to be completed by the user within 10 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the tender generation process.

3.Uploading of tender

a.Effectiveness (Accuracy & Completeness): All tenders have been uploaded successfully.

b. Efficiency: Uploading to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the uploading procedures.

4.Opening of Tenders

a.Effectiveness (Accuracy & Completeness): The opening of all tenders have been completed successfully .

b. Efficiency: Opening of tenders to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the tender opening procedures.

5.EMD Authorisation ,

a.Effectiveness (Accuracy & Completeness): The EMD Authorisation of all tenders has been completed successfully.

b.Efficiency: EMD Authorisation to be completed by the user within 1 minute

c. Satisfaction: Less than 10% of users report dissatisfaction with the EMD Authorisation procedures.

6.Downloading of submitted vendor documents ,

a.Effectiveness (Accuracy & Completeness) : The downloading of all submitted tenders have been completed successfully.

b.Efficiency: Downloading of submitted vendor documents to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Downloading procedures.

7.Disqualification of one vendor

a. Effectiveness (Accuracy & Completeness) Vendor Disqualification has been completed successfully.

b.Efficiency: Disqualification of one vendor to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the disqualification procedures.

88

8. Comparative statement generation

a. Effectiveness (Accuracy & Completeness) Generation of Comparative statement has been completed successfully .

b.Efficiency: Comparative statement generation to be completed by the user within 2 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Comparative statement procedures.

Suppliers/ contractors/vendors 1. Self Registration with PKI

a. Effectiveness (Accuracy & Completeness) Self Registration with PKI has been completed successfully.

b.Efficiency: Registration to be completed by the user within 12 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the PKI registration procedures.

2.PKI based login and Request for tender documentation

a.Effectiveness (Accuracy & Completeness) All Vendor requests have been completed successfully .

b. Efficiency: Tender request to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Tender request procedures.

3.Downloading of tender documents

a.Effectiveness (Accuracy & Completeness) All the tender documents have been downloaded successfully .

b.Efficiency: Downloading of tender documents to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the downloading procedures.

4.Upload filled tender documents, Supporting documents and Submission of

c.Satisfaction: Less than 10% of users report dissatisfaction with the whole tender submission procedures.

4.Usability objective : Overall usability

1.Effectiveness measures

a.Percentage of goals achieved ‐ 100%

b.Percentage of users successfully completing task‐ 100%

2.Efficiency measures

a.Average time to complete a task ‐ less than 40 mts

b.Average no of tasks completed per unit time ‐ 0ne per 10 mts

3.Satisfaction measures

a.Rating scale for satisfaction ‐ more than 90%

b.No of complaints ‐ less than 10%

89

Template 2: ‐ Defining Performance Specifications

To be provided by developer/user

∙The business requirements

Annexure V

Definitions and Reference Documents

∙E‐Procurement:‐ Electronic procurement (e‐procurement) is use of electronic tools and systems to increase efficiency and reduce costs during each stage of the purchasing process

∙Amendments/Modifications to Tenders

The tender, after submitting its tender, is permitted to submit alterations/modifications to its tender so long such alterations/modifications are received duly sealed and marked like original tender, upto the date and time of receipt of tender. Any amendment/modification received after the prescribed date and time of receipt of tenders are not to be considered.

Source: Manual on Policies and Procedures for purchase of goods (Ministry of Finance)

∙Withdrawal, substitution and modification of Bids

STANDARD BIDDING DOCUMENT

Procurement of Goods User’s Guide‐ Asian Development Bank

26.1A Bidder may withdraw, substitute, or modify its Bid after it has been submitted by sending a written Notice, duly signed by an authorized representative, and shall include a copy of the authorization in accordance with ITB 22.2 (except that Withdrawal Notices do not require copies). The corresponding substitution or modification of the Bid must accompany the respective written Notice. All Notices must be:

a)submitted in accordance with ITB Clauses 22 and 23 (except that Withdrawal Notices do not require copies), and in addition, the respective envelopes shall be clearly marked “Withdrawal”, “Substitution”, “Modification” and

b)received by the Purchaser prior to the deadline prescribed for submission of bids, in accordance with ITB 24.

26.2Bids requested to be withdrawn in accordance with ITB 26.1 shall be returned unopened to the Bidders.

26.3No Bid shall be withdrawn, substituted, or modified in the interval between the deadline for submission of bids and the expiration of the period of bid validity specified by the Bidder on the Bid Submission Sheet or any extension thereof.

∙E‐Sourcing:‐ Electronic sourcing (esourcing) is the use of internet technology to establish, manage and monitor contracts. It includes:

*eTendering

*eEvaluation

*eCollaboration, and

*eContract Management

∙Public Service Organization (PSO):‐ An organization which provides service (s) to public at large and/or whose activities influences influence public interest.

eg: Government ministries and departments, Regulatory bodies, Public utility service providers, etc.

91

∙Purchase Officer:‐ A Purchase officer is an employee within Public service organization(Govt. Department/ Public Service Undertaking) who is responsible at some level for buying or approving the acquisition of goods and services needed by the organization. A Purchase Officer may oversee the acquisition of materials, general supplies for offices and facilities or equipment. The term Purchase Officer is also known as “Procurement Manager”. They are overall responsible for building and managing their organization supply chains.

∙Service Provider: ‐ A service provider is an entity that provides services to other entities. In the context of this document Service Provider refers to a business that provides e‐procurement services to the Public service organization (Govt. Department/ Public Sector Undertaking).

∙Solution Provider:‐ A solution provider is a vendor, a service provider or a value‐ added reseller (VAR) that comprehensively handles the project needs of their client from concept to installation through support. This process normally involves studying the client's current infrastructure, evaluating the client's needs, specifying the mix of manufacturers' hardware and software required to meet project goals, installing the hardware and software at the client's site(s). In many cases, the "solution" also includes ongoing service and support from the VAR.

∙Senior Administrators: Employee within Public service organization charged with improving their company’s profits, responsiveness, and standing in the market. They are also termed as (Executive Director, Material Management or Chief Executive Officer) depending on the size of the organization.

∙Financial Advisor (CFO):‐ Employee of Public service organization focused on controlling costs and optimizing their organization resources. They are also designated as Chief financial Advisors (CFO).

∙Head IT:‐Employee of Public Service Organization involved in selecting and implementing e‐Governance in the P.S.O also Known as chief information officer. He is also responsible for managing consultants and system integrators (SI) tasked with identifying leading e‐Procurement solutions.

∙Facility Management Partner (FMP):‐ In some cases PSO’s take services of Front end FMP’s for implementation, operation, management and training of eProcurement Solution. PSO’s outsourced the operation of the e‐procurement solution through front end facility management partner

92

2.0Reference Standards and Normative documents

∙Application Security : OWASP‐10, 2010

∙Network Security as per NIST 800‐115 Technical Guide to Information Security Testing and Assessment

∙CWA (CEN Workshop Agreement 15994‐ e‐Tendering Process)

∙CWA (CEN Workshop Agreement 15666‐ Business requirements specification‐ Cross Industry e‐Tendering Process)

∙eProcurement Integrity Matrix from Transparency International India

∙ISO / IEC 27001 Information Security Management System Requirements

∙ISO/TS 15000 Electronic business eXtensible Markup Language (ebXML)

∙IT Act 2000 with amendments 2008

∙General Financial Rules, 2005

∙Relevant CVC Guidelines

93