Government e-Market Place II Pre-Procurement Market Engagement Nick Morris; August 2012
Agenda Introductions Government Procurement e-Enablement and e-Commerce Government e-Market Place Background Procurement Overview Proposed Timescale Proposed Statement of Requirements Security Requirements Next Steps
Savings for the Nation eEnablement Strategic Goals • To support the definition of category strategies, the sourcing, procurement and the management of contracts & suppliers through appropriate use of technology, maximising the use of existing investment in departments whilst ensuring there is full coverage of technical support across the whole of Government Procurement; • Consider the integration of multiple existing e-Sourcing solutions for centralised procurement; • The management of technology to promote accessibility of central deals by customers across the whole of the public sector and facilitation of the reporting and analysis of procurement expenditure, contract and supplier performance across all Central Government users.
Technical Architecture Secure access management eSourcing Tool Suppliers Spend Analysis Government Procurement Portal Dynamic Marketplace Cabinet Office Corporate Website • Large bullet points should be set in 18pt Arial • Large bullet points should be set in 18pt Arial • Large bullet points should be set in 18pt Arial • Large bullet points should be set in 18pt Arial • Large bullet points should be set in 18pt Arial • Large bullet points should be set in 18pt Arial eMarketplace Category Specific Tools Contract Finder Solution Cognos Data Warehouse Users
Enabling Technologies Target GPS Architecture Spend Analysis Spend by Suppliers & agreed Category schematic Suppliers Contract Finder Solution Opportunities, Contract award information eSourcing Tool Dynamic Marketplace eRFQ Complex RFQ/RFP, Auctions, SRM & contract management SME Registration and Quotation for sub EU tenders (services) Specific Category Tools eMarketplace Users Punch Out \ Integration with Supplier Sites eg Hotels, Fleet, Appstore Catalogues for common goods ERP AP ‘PSPES’ Replacement Solution The Government Open Procurement Portal ERP hosted by CG Depts Non ERP use PS Otis accessed via Website ERP P2P Single Web Portal designed and hosted in partnership with DirectGov
Enabling Technologies Target GPS Architecture For customer and supplier communications GPS Procurement Portal** GPS Procurement and Spend Reports and Dashboards Contracts Finder* GPS Reporting Tool** GPS Spend Analysis** GPS eSourcing** Cleansed Spend Data RFx and Contract data Sourcing Contract Management Supplier Management For opportunity and contract award publication For non-spend related analysis Contract details Order details Invoice details Catalogue details Dept eSourcing tools Dept ERP / AP GPS eMarketplace* Dynamic eMarketplace* Central Application Linked Application Data Flow Category Specific Tools For Total Spend For Central Contracts *Live ** Being Implemented
Savings for the Nation Government e-Market Place Background • Where Have We Come From • Zanzibar Framework agreement • Let August 2005 • Managed by OGC Buying Solutions • DWP Usage • ERP Implementation • Legacy Catalogue Hosting • Current Position • Catalogue • Non-Catalogue E-RFQ • Future Direction • Ge-M II
Procurement Overview Completed Consultation with other Government Departments and Wider Public Sector organisations including cross-Government senior stakeholders; minimum requirements identified and agreed by ESAB. PIN notice issued 22Nd June 2012 Strategy developed and incorporated into a business case Consultation with GP IAO Pre-procurement market engagment event 1st August 2012
Proposed Timescales Moving Forward – Provisional Timescales Review supplier feedback – by 6th August Stakeholder engagment & requirements gathering exercise – w/c 13th August Draft OJEU and issue – September 2012 Tender Issue date - Late September / October 2012 ITT return – 5th November 2012 Evaluation period – 12th November – 10th December 2012 Mandatory standstill start date w/c 17th December 2012 Contract award – end of January 2013
Government e-Market Place II Minimum Statement of Requirements
Government e-Market Place II Mandatory Services Content Management system – UNSPSC data mapping; catalogue workflows; rich data content with live links to supplier data Hosted Catalogue Management Services – catalogue search and compare; permission views local/global; supplier registration workflow [self service]; bulk upload / supplier adoption; DUNS Purchase to Payment lite – integrated / non integrated end user; backward compatible IE6; integration to other e-systems; end user support; MI tool and standard reporting; spend analysis and SUM reporting
Government e-Market Place II Mandatory Security Requirements Systems and accreditation IL 1; 3 and 4 GSi Hub CJX Hub N3 Hub NHS supply chain secure XML Firewall Security cleared personnel
Government e-Market Place II Dynamic RFQ functionality Non-complex ; low risk; sub-OJEU requirements quick turn around secure GP central category strategies Public Sector opportunities for SME
Government e-Market Place II Commercial model Modularised delivery Cost effective End user selection of component parts to fit requirements VfM Sector Wide
Commercial model Modularised delivery Cost effective End user selection of component parts to fit requirements VfM Sector wide
Information Assurance & RMADS Accreditation Amanda Squire, August 2012
Security Policy Framework Cabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/ MR 8 All ICT systems that handle, store and process protectively marked information or business critical data, or that are interconnected to cross-government networks or services (e.g. The Government Secure Intranet, GSI), must undergo a formal risk assessment to identify and understand relevant technical risks; and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed.
Security Policy Framework Cabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/ MR 9 Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems, proportionate to the value, importance and sensitivity of the information held and the requirements of any interconnected systems. 10/06/2014 18
HMG Information Assurance Standards CESG Information Assurance Policy Portfolio www.cesg.gov.uk • IS1&2 – Information Risk Assessment • IS4 – Management of Cryptographic Systems • IS5 – Secure Sanitisation • IS6 – Protecting Personal Data & Managing Information Risk • IS7 – Authentication of Internal Users of ICT Systems Handling Government Information Only IS1 Technical Risk Assessment, Business Impact Levels & the IS1 Risk Tool are available on the public website at this time.
CESG Technical Guidance CESG Information Assurance Policy Portfolio www.cesg.gov.uk • GPGs – Good Practice Guides • Cryptographic Standards • Developers’ Notes • Implementation Guides • Architectural Patterns • CESG Security Procedures • Technical Threat Briefings • CESG IA Notices On Contract Award, IT Security Managers should contact email@example.com quoting Government Procurement Service as the sponsoring organisation
HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 8 Departments & Agencies must assess the technical risks to the Confidentiality, Integrity and Availability of their ICT systems or services. A technical risk assessment must be conducted at the start of all HMG ICT projects or programmes, and must be refined to reflect any change. The findings of all technical risk assessment must be reviewed at least annually to identify any changes to threat, vulnerability or impact. Supports MR 8 of the SPF
HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 13 The findings of the technical risk assessment must inform and substantiate the selection, and implementation approach of the controls used to treat the identified technical risks. The approach to selection and implementation must be endorsed by the Accreditor or their delegated authority. Supports MR 9 of the SPF
HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 14 The risk treatment plan must include as a minimum the mandatory protective controls from the SPF, HMG IA Standards and other relevant Tier 4 policy documents. Supports MR 9 of the SPF
HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 15 By default every HMG Information system or service with a Business Impact Level (IL) of 3 or above for either: Confidentiality, Integrity or Availability, must implement the full set of controls as defined in the Baseline Control Set of the supplement to this standard.
Baseline Control Set IS1-2 Supplement, Appendix A • Aligned to ISO27001 Control References 5 to 15 • DETER level guidance for IL2/3 • Suitable to treat all risks up to and including Medium • Risks identified as Medium-High or High must have additional mitigation in place
RMADs Accreditation Risk Management & Accreditation Document Set • The confidence that the risks to information systems are being properly managed is known as Information Assurance (IA), and the formal assessment of an information system against its IA requirements is known as accreditation. • All ICT systems or services that process, handle or store protectively marked or personal [or sensitive] Government information must be accredited using IAS 1-2 and reviewed annually. (eg >= IL 2) • Accreditation is the business process for managing information risk of ICT systems and services
RMADs Accreditation Accreditation Stages • The accreditation process must start as early as possible. • Initial requirements identified at Stage 0. • Preliminary process started by Stage 1 • Process starts around Stage 3. • Accreditation approval Stage 4. • Accreditation maintenance – Situation Awareness Stage 5 • End of life – Decommissioning Stage 6
RMADs Accreditation Accreditation Stages • Project Initiation – meet SRO/PM; agree Risk Owner (SIRO); set C, I and A business impact levels; agree risk tolerance based on Government Procurement Service risk appetite. • Set up IA management team – agree accreditation plan. • Draft RMADS and initial IAS1 risk assessment – approved by Accreditor. • Technical Security Architecture defined – approved by Accreditor and/or CESG Design Review. • System built. • Physical, procedural, personnel and technical (P3T) inspections including ITHC – consolidated risk register • User Acceptance Testing • SIRO acceptance of residual risk and RMADs accreditation sign off. • Annual security review (including ITHC) and re-accreditation • Decommission
RMADs Accreditation Interconnections – PSN, CJX, N3 • Approaches to the risk management and accreditation of interconnections will vary depending on complexity, however in all cases need a formal agreement on the interconnection is required. • Approaches may include: • • A Code of Connection (CoCo, eg PSN) for a single point to point connection; • • A Community Security Policy (CSP) defining the mandatory security requirements for connection to a community of interconnected systems or services; • • Shared service agreements – develop trust between shared IA managers; • The Accreditation approach for the required interconnections will be agreed following contract award when the proposed solution is known.
RMADs Accreditation Outsourcing & Offshoring • Host environments, data centres and other ICT services supplied by third parties/sub-contractors may also require accreditation. • GPG6 – Outsourcing & Offshoring: Managing the Security Risks • Supplementary controls for systems in addition to those in ISO27001 • A detailed risk assessment must be performed prior to transitioning service delivery to an external third party • The service provider is required to operate the contract in accordance with UK law, the SPF and all associated standards and guidance
RMADs Accreditation Overview of Contents • Section 1: Accreditation Status • Accreditation Statement • Accreditation History • Links & Dependencies • Register of Applicable Legislation • Section 2: Basic Information • Business Context • Description of Service • Information Asset List • Interconnections & Interfaces • Accreditation Scope • Responsibilities & Functions • Accreditation Review Process
RMADs Accreditation Overview of Contents - continued • Section 3: Information Risk Management • Corporate Risk Environment • Business Impact Statement • Technical Risk Assessment (IS1) & Risk Register • Risk Treatment Plan • Implementation Plan • Assurance Plan • Residual Risk Assessment & Gap Analysis • Section 4: Development, Acceptance & In-Service • Information Risk Management Plan (Security Case) • Results of IA Verification, Testing and Inspections (including ITHC) • Security Operations Procedures (SyOps) • Incident Management, Reporting & Response (including BCP) • Decommissioning and Disposal Procedures
RMADs Accreditation • For specific technical and functional requirements please contact the Government eMarketplace II procurement team • Successful bidders are strongly advised to engage a CLAS (CESG Listed) Consultant on Contract Award to assist with the RMADs process
Next Steps High Level Specification available online – W/C 13th August 2012 http://gps.cabinetoffice.gov.uk/i-am-supplier/supplier-industry-days Any questions or queries prior to issue of OJEU email them to Ge-M-II@gps.gsi.gov.uk