BID SPECIFICATION
RFB REF. NO:
1437/2016
DESCRIPTION
THE IMPLEMENTATION AND MAINTENANCE OF A VULNERABILITY
ASSESSMENT
AND
MANAGEMENT
SOLUTION
FOR
THE
DEPARTMENT OF TRADE AND INDUSTRY
VENDOR BRIEFING
NON COMPULSORY VENDOR BRIEFING SESSION WILL BE HELD AS
SESSION
FOLLOWS:
DATE: 18 NOVEMBER 2016
TIME: 10:00 AM
VENUE: SITA AUDITORIUM, 459 TSITSA STREET, ERASMUSKLOOF
CLOSING DATE FOR
28 NOVEMBER 2016
QUESTIONS / QUERIES
RFB CLOSING DETAILS
DATE: 05 DECEMBER 2016
TIME: 11:00AM
VENUE: SITA APOLLO – PONGOLA, 459 TSITSA STREET,
ERASMUSKLOOF
PUBLIC OPENING OF BIDS
DATE: 08 DECEMBER 2016
TIME: 12:00 NOON
VENUE: SITA APOLLO – PONGOLA, 459 TSITSA STREET,
ERASMUSKLOOF
BID VALIDITY PERIOD
120 DAYS FROM THE CLOSING DATE
1 of 80
CONFIDENTIAL
Contents
ANNEX A:
1.
INTRODUCTION ................................................................................................................................... 4
PURPOSE AND BACKGROUND ........................................................................................................................... 4
1.1.
1.2.
2.
PURPOSE .......................................................................................................................................................... 4
BACKGROUND.................................................................................................................................................. 4
SCOPE OF BID .................................................................................................................................................... 5
2.1.
2.2.
2.3.
3.
SCOPE OF WORK .............................................................................................................................................. 5
DELIVERY ADDRESS .......................................................................................................................................... 5
CUSTOMER INFRASTRUCTURE AND ENVIRONMENT ....................................................................................... 5
TECHNICAL REQUIREMENT OVERVIEW .............................................................................................................. 7
3.1.
3.2.
3.3.
4.
PRODUCT REQUIREMENT ................................................................................................................................ 7
SOLUTION REQUIREMENT ............................................................................................................................... 7
PROJECT AND SERVICES REQUIREMENTS ........................................................................................................ 8
BID EVALUATION STAGES .................................................................................................................................. 8
ANNEX A.1:
5.
ADMINISTRATIVE PRE-QUALIFICATION ................................................................................................ 9
ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS ................................................................................... 9
5.1.
5.2.
ADMINISTRATIVE PRE-QUALIFICATION VERIFICATION .................................................................................... 9
ADMINISTRATIVE PRE-QUALIFICATION REQUIREMENTS ................................................................................. 9
ANNEX A.2:
6.
TECHNICAL MANDATORY, FUNCTIONALITY AND PROOF OF CONCEPT REQUIREMENTS .....................10
TECHNICAL MANDATORY .................................................................................................................................10
6.1.
6.2.
6.3.
7.
INSTRUCTION AND EVALUATION CRITERIA.................................................................................................... 10
TECHNICAL MANDATORY REQUIREMENTS .................................................................................................... 11
DECLARATION OF COMPLIANCE .................................................................................................................... 15
TECHNICAL FUNCTIONALITY .............................................................................................................................16
7.1.
7.2.
8.
INSTRUCTION AND EVALUATION CRITERIA.................................................................................................... 16
TECHNICAL FUNCTIONALITY REQUIREMENTS ............................................................................................... 17
PROOF OF CONCEPT .........................................................................................................................................56
ANNEX A.3:
9.
SPECIAL CONDITIONS OF CONTRACT (SCC) .........................................................................................57
SPECIAL CONDITIONS OF CONTRACT ................................................................................................................57
9.1.
9.2.
9.3.
INSTRUCTION ................................................................................................................................................. 57
SPECIAL CONDITIONS OF CONTRACT ............................................................................................................. 57
DECLARATION OF ACCEPTANCE ..................................................................................................................... 63
ANNEX A.4:
10.
COSTING AND PRICING .....................................................................................................................................66
10.1.
10.2.
10.3.
10.4.
COSTING AND PRICING EVALUATION ............................................................................................................ 66
COSTING AND PRICING CONDITIONS ............................................................................................................. 66
DECLARATION OF ACCEPTANCE ..................................................................................................................... 67
BID PRICING SCHEDULE .................................................................................................................................. 68
ANNEX A.5:
11.
COSTING AND PRICING .......................................................................................................................65
TECHNICAL SCHEDULES .......................................................................................................................72
TECHNICAL SCHEDULES ....................................................................................................................................72
11.1.
LOCATION SCHEDULE..................................................................................................................................... 72
2 of 80
CONFIDENTIAL
11.2.
11.3.
11.4.
11.5.
EQUIPMENT AND QUANTITY SCHEDULE ........................................................................................................ 72
SOLUTION ARCHITECTURE ............................................................................................................................. 72
SERVICES AND PERFORMANCE SCHEDULE .................................................................................................... 72
PROJECT AND DELIVERY SCHEDULE ............................................................................................................... 72
ANNEX A.6:
TERMS AND DEFINITIONS ...................................................................................................................73
1.
ABBREVIATIONS ...............................................................................................................................................73
2.
DEFINITIONS .....................................................................................................................................................73
ANNEX A.7:
BIDDER SUBSTANTIATING EVIDENCE ..................................................................................................74
ANNEX B:
LOCAL CONTENT REQUIREMENTS (SBD 6.2) ........................................................................................75
3 of 80
CONFIDENTIAL
The purpose of this specification is to obtain bids from Service Providers for the implementation
and maintenance of a Vulnerability Assessment and Management solution for the Department of
Trade and Industry (the dti).
The Office of the Chief Information Officer (OCIO) in the dti is responsible for managing and
maintaining the back office infrastructure hosting the business critical applications and services
that enable the dti to carry out its mandate as well as to ensure the ICT security of the department
as a whole.
Being a government department, information security is a major concern but it needs to be
balanced with the department’s requirement to work efficiently and effectively, as overly tight
information security controls can hamper the employees’ ability to carry out their function.
The goal of information security is to secure and protect information, and in so doing includes the
prevention and detection of unauthorised access and actions by users of a computer. To this end it
aims to achieve the privacy, confidentiality, and integrity and availability of information resources.
One of the Top 20 Critical Security Controls (Number 4 on the SANS CIS 20 Critical Security
Controls for Effective Cyber Defence) is Continuous Vulnerability Assessment and Remediation;
this provides the ability to pro-actively identify and repair known software vulnerabilities.
4 of 80
CONFIDENTIAL
The supply, installation, integration and operationalisation of an on-premise Vulnerability
Management solution for the dti that will scan and manage vulnerabilities on 1000 identified
devices.
(1)
(2)
To meet the scope of work, bidders are required to:
(a)
Provide an implementation strategy, including project schedule;
(b)
Complete the scope of work within three (3) months from the date of appointment;
(c)
Integrate with the dti's existing identity management solution (Active Directory or EDirectory);
(d)
Provide maintenance and support on the product for a period of three (3) years;
(e)
Provide training and knowledge transfer to the dti’s nominated resources;
(f)
Provide user manuals and system documentation to the dti for the implemented
solution.
The scope of work excludes the following –
(a)
N/A
The goods and services must be provided at the physical locations as per section 11.1.
(1)
Product baseline
(a)
Specific notable applications within the environment include:
(i)
SAP 7 or Later
(ii)
JBoss 4 or later
(iii)
Apache 2
(iv)
IIS 6.5 or later
(v)
SQL Server 2005 or later
(vi)
SAP Sybase
(vii) MySQL
(viii) Novell E-Directory
(ix)
Novell GroupWise
(x)
Microsoft Active Directory
(xi)
Microsoft Dynamics
(xii) Microsoft Exchange
5 of 80
CONFIDENTIAL
(xiii) Microsoft DNS
(xiv) Bind DNS
(xv) Proxy server appliances
(xvi) Trend Micro End User protection suite
(2)
Infrastructure baseline
(a)
(3)
The departments infrastructure consists predominantly of the following components;
(i)
Avaya Networking solutions
(ii)
Cisco Routing and switching solutions
(iii)
Avaya CS1000E VOIP Telephony platform
(iv)
Avaya Contact centre solutions
(v)
Lexmark Printing solution
(vi)
Solarwinds Network Monitoring solution
Operating environment
(a)
The dti makes use of a multitude of operating systems:
(i)
Microsoft Windows server 2000 or Later,
(ii)
Microsoft Windows XP or later
(iii)
SuSE Linux 9 or later
(iv)
OpenSuSE 9 or later
(v)
Ubuntu 7 or later
(vi)
Redhat 6.5 or later
(vii) Checkpoint Operating Systems
(viii) Specific purpose built Appliances
6 of 80
CONFIDENTIAL
(1)
(2)
(3)
(4)
Vulnerability Management Solution
(a)
Agent based and agentless vulnerability scanning.
(b)
Deployed across an initial asset base of a maximum of 1000 assets.
(c)
Scalable to at least 2500 assets (the additional 1500 licences are not part of this bid
and if required would be bought separately).
(d)
Including a centralised management console with live threat tracking and reporting.
Hardware
(a)
Able to run as an appliance, or on SLES Linux or Windows Server 2008 or later (only in
a virtualised [VMWare 5.5 or later] environment).
(b)
Agents and agentless scanners able to support all the asset environments, operating
systems and databases as defined in 2.3 above.
(c)
Provision of hardware as part of the solution to the dti.
Network
(a)
Able to support local and wide area network deployment
(b)
Management of agent or log file transfer from asset to the central system must be able
to be managed below 150kb/s.
Documentation and Training
(a)
Product solution technical documentation and guides (technical, administrator, and
user).
(b)
Product solution technical and administrator training to facilitate skills transfer by the
end of the 36 month maintenance and support period.
A turnkey solution is required in line with the product requirements as specified in Section 3.1.
Additional details in terms of target architecture and solution integration are:
(1)
(2)
SOLUTION TARGET ARCHITECTURE
(a)
Management of vulnerabilities on 1000 assets across the dti’s infrastructure.
(b)
Deployed across 1 campus area network and local locations and 5 wide area locations
(i.e. the tool should also be able to scan from a single location to locations attached to
the wide area network).
(c)
Centralised vulnerability management operations centre for monitoring and managing
all identified vulnerabilities and alerts.
(d)
Solution hardware and software deployed at a single location as specified in section
11.1.
SOLUTION INTEGRATION REQUIREMENTS
7 of 80
CONFIDENTIAL
(1)
(a)
Integration into the dti’s authentication environments of Microsoft Active Directory
and e-Directory.
(b)
Deployment onto the asset/device, server, workstation, operating system, database,
and application.
PROJECT DELIVERY SCHEDULE AND PERFORMANCE
(a)
(2)
(1)
Solution design, installation and implementation - from appointment of the Supplier to
sign-off of the project – to take no more than 3 calendar months/13 calendar weeks or
93 calendar days.
SERVICE DELIVERY SCHEDULE AND PERFORMANCE METRICS
(a)
Provision of on-site maintenance and support - between the hours of 08h00 to 16h30
Monday to Friday - of the implemented Vulnerability Management solution.
(b)
Vulnerability Management solution patch and update management as part of the onsite maintenance service in accordance with the product manufacturers patch and
update schedule.
(c)
Issue and defect resolution with a turn-around time of 24 hours.
(d)
Skills transfer to identified dti staff to commence within 6 months of the contract
being awarded and continue till the conclusion of the 36 month maintenance and
support contract.
The bid evaluation process consists of several stages that are applicable according to the
nature of the bid as defined in the table below.
Stage
Description
Applicable for this bid
Stage 1
Administrative pre-qualification verification
YES
Stage 2A
Technical Mandatory requirement evaluation
YES
Stage 2B
Technical Functionality requirement evaluation
YES
Stage 2C
Technical Proof of Concept requirement evaluation
NO
Stage 3
Special Conditions of Contract verification
YES
Stage 4
Price / B-BBEE evaluation
YES
(2) The bidder must qualify for each stage to be eligible to proceed to the next stage of the
evaluation.
8 of 80
CONFIDENTIAL
(1)
The bidder must comply with ALL of the bid pre-qualification requirements in order for the
bid to be accepted for evaluation.
(2)
If the Bidder failed to comply with any of the administrative pre-qualification requirements,
or if SITA is unable to verify whether the pre-qualification requirements are met, then SITA
reserves the right to –
(1)
(a)
Reject the bid and not evaluate it, or
(b)
Accept the bid for evaluation, on condition that the Bidder must submit within 7
(seven) days any supplementary information to achieve full compliance, provided that
the supplementary information is administrative and not substantive in nature.
Submission of bid response: The bidder has submitted a bid response documentation pack –
(a)
that was delivered at the correct physical or postal address and within the stipulated
date and time as specified in the “Invitation to Bid” cover page, and;
(b)
in the correct format as one original document, two copies and one CD.
(2)
Attendance at compulsory briefing session: If a compulsory briefing session was called, then
the bidder has signed the briefing session attendance register using the same information
(bidder company name, bidder representative person name and contact details) as
submitted in the bidders response document.
(3)
Registered Supplier. The bidder is, in terms of National Treasury Instruction Note 3 of
2016/17, registered as a Supplier on National Treasury Central Supplier Database (CSD).
9 of 80
CONFIDENTIAL
Purpose: Technical Mandatory requirements are the absolute minimum requirements to fulfil the Business Objective;
(1)
The bidder must comply with ALL the requirements by providing substantiating evidence in the form of documentation or information, failing
which it will be regarded as “NOT COMPLY”.
(2)
The bidder must provide a unique reference number (e.g. binder/folio, chapter, section, page) to locate substantiating evidence in the bid
response. During evaluation, SITA reserves the right to treat substantiation evidence that cannot be located in the bid response as “NOT
COMPLY”.
(3)
The bidder must complete the declaration of compliance as per section 6.3 below by marking with an “X” either “COMPLY”, or “NOT COMPLY”
with ALL of the technical mandatory requirements, failing which it will be regarded as “NOT COMPLY”.
(4)
The bidder must comply with ALL the TECHNICAL MANDATORY REQUIREMENTS in order for the bid to proceed to the next stage of the
evaluation.
10 of 80
CONFIDENTIAL
TECHNICAL MANDATORY REQUIREMENTS
(1)
Substantiating evidence of compliance
Evidence reference
(used to evaluate bid)
(to be completed by bidder)
BIDDER CERTIFICATION / AFFILIATION REQUIREMENTS
(a)
(2)
The bidder must be a certified supplier and installer In substantiation of response, bidders must provide
of the proposed product solution.
a valid OEM certificate certifying their organisation
for the proposed product solution.
BIDDER EXPERIENCE AND CAPABILITY REQUIREMENTS
(a)
The bidder must have at least 5 years relevant
experience in installing, maintaining and supporting
the proposed Vulnerability Management Solution of
the scope and size required in terms of this bid.
In substantiation of this the bidder must provide
letters of reference - on the client’s letterhead from clients demonstrating a cumulative experience
of 5 years. Letters of reference are to contain the
following details:
 Client name:

Services/scope of work provided:

Technology tools used:

Service delivery timelines (start & end dates):


Description of the type of resources allocated
to the client:
Client contact details:

Name:

Designation:

Telephone Number:

e-mail address:
11 of 80
CONFIDENTIAL
TECHNICAL MANDATORY REQUIREMENTS
(3)
Substantiating evidence of compliance
Evidence reference
(used to evaluate bid)
(to be completed by bidder)
BIDDER PRESENCE REQUIREMENTS
None
(4)
PRODUCT OR SERVICE TECHNICAL REQUIREMENTS
(a)
The proposed solution must be an on-premise
solution.
Substantiate by providing references from the
proposed product technical specification
documentation indicating that all scan data will be
retained on premise at all times, and no information
detected, or utilised, by the solution will leave the
department’s infrastructure.
Substantiate by providing references from the
proposed product technical specification
documentation.
(b)
The solution must be able to scan a minimum of one
thousand (1000) IP addresses, and must be scalable
to scan a total of two thousand five hundred (2500)
IP addresses if required in the future.
(c)
The proposed solution must cater for both Agent
and Agentless scanning abilities.
(d)
Scan result sent across the corporate network
(between agents and/or devices and the proposed
solution) must be encrypted using a recognised
encryption algorithm.
Substantiate by providing references from the
proposed product technical specification
documentation.
Substantiate by providing references from the
proposed product technical specification
documentation. These references must detail the
encryption methods supported.
(e)
The solution must be able to provide vulnerability
assessment of Microsoft operating systems
Windows 2000 Server or later, and Windows XP
desktop or later.
Substantiate by providing references from the
proposed product technical specification
documentation. These references must detail the
Microsoft operating systems supported.
(f)
The solution must be able to provide vulnerability
Substantiate by providing references from the
12 of 80
CONFIDENTIAL
TECHNICAL MANDATORY REQUIREMENTS
assessment of the following virtualisation
technologies:
(g)
(h)
(5)

VMWare ESX Server 4.0 and later

VMware Workstation 7.0.x and later

XEN

Virtual box

Microsoft Hyper-V
The solution must be able to provide vulnerability
assessment of the following SQL database
technologies:

Microsoft SQL Server 2005 32/64 bit and later

Oracle 7 and later

Sybase ASE 14 and later

MySQL 4 and later
The solution must be able to provide vulnerability
assessment of the following Linux/UNIX operating
systems:

SuSE SLES 9 and later

OpenSuSE 9 and later

Ubuntu 9 and later

RedHat (all versions)

HPUX 10.20 and later
PRODUCT OR SERVICE FUNCTIONAL REQUIREMENT
(a)
The proposed solution must be a Vulnerability
Lifecycle Management tool with vulnerability
Substantiating evidence of compliance
Evidence reference
(used to evaluate bid)
(to be completed by bidder)
proposed product technical specification
documentation. These references must detail all
virtualisation technologies supported.
Substantiate by providing references from the
proposed product technical specification
documentation. These references must detail all
SQL database technologies supported.
Substantiate by providing references from the
proposed product technical specification
documentation. These references must detail all
operating system versions supported.
Provide details on whether vulnerability correlation
is supported in the proposed product/solution,
including references to the standard product
13 of 80
CONFIDENTIAL
TECHNICAL MANDATORY REQUIREMENTS
correlation.
(b)
(c)
(6)
Substantiating evidence of compliance
Evidence reference
(used to evaluate bid)
(to be completed by bidder)
functional specification documentation.
The proposed solution must provide complete
visibility of and reporting on identified
vulnerabilities through a single management
console.
Substantiate compliance with this requirement by
describing how identified vulnerabilities are
consolidated and presented through a single
management console. To this end bidders may
reference both the proposed solution architecture
in 7.2.3.a, as well as the proposed solution technical
specification documentation.
The product must facilitate asset management
Substantiate compliance with this requirement by
where assets have more than one IP address. Assets detailing how multiple IP addresses per asset are
with more than one IP address must be correlated
managed in the proposed solution, and how
as one asset to ensure that the vulnerability scans
correlation of vulnerabilities identified are
are accurate.
consolidated per asset.
INTEGRATION REQUIREMENT
(a)
It is required that the proposed product solution The bidder is required to cross reference and attach
integrate with existing authentication methods the applicable product technical specifications to
including LDAP, and SecureID/RADIUS to clearly depict compliance with this requirement.
authenticate users access the proposed solution.
14 of 80
CONFIDENTIAL
Comply
Not Comply
The bidder declares by indicating with an “X” in either the “COMPLY” or “NOT COMPLY” column that –
(a)
The bid complies with each and every TECHNICAL MANDATORY REQUIREMENT as specified in
SECTION 6.2 above; AND
(b)
Each and every requirement specification is substantiated by evidence as proof of compliance.
15 of 80
CONFIDENTIAL
(1)
The bidder must complete in full all of the TECHNICAL FUNCTIONALITY requirements.
(2)
The bidder must provide a unique reference number (e.g. binder/folio, chapter, section, page) to locate substantiating evidence in the bid
response. During evaluation, SITA reserves the right to treat substantiation evidence that cannot be located in the bid response as “NOT
COMPLY”.
(3)
Evaluation per requirement. The evaluation (scoring) of bidders’ responses to the requirements will be determined by the completeness,
relevance and accuracy of substantiating evidence. Each TECHNICAL FUNCTIONALITY requirement will be evaluated using a maximum 5 point
scale. For the details of each requirement’s evaluation criteria please refer to the specific item.
(4)
Weighting of requirements: The full scope of requirements will be determined by the following weights:
No.
1.
2.
3.
4.
(5)
Technical functionality requirements
Bidder Certification And Proficiency Requirements
Bidder Experience And Capability Requirements
Product Or Service Functional Requirement
Product Performance Requirements
Weighting
0%
5%
85%
10%
TOTAL
100 %
Minimum threshold. To be eligible to proceed to the next stage of the evaluation the bid must achieve a minimum threshold score of 70%.
16 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(1)
BIDDER CERTIFICATION AND PROFICIENCY
REQUIREMENTS
Not applicable for this bid
(2)
BIDDER EXPERIENCE AND CAPABILITY REQUIREMENTS
(a)
The bidder makes use of known and accepted
industry standards in defining, designing,
implementing and maintaining/supporting their
Vulnerability Management solutions.
In substantiation of response, bidders should provide
details of the organisation’s published methodologies
and processes for enterprise architecture, solution
architecture and project implementation, and
operational support and maintenance for the proposed
product solution.
0=No methodologies or processes provided
1=Published methodologies provided for Enterprise or
Solution Architecture only
3=Published methodologies provided for Enterprise and
Solution Architecture, as well as Project Management
5=Published methodologies provided for Enterprise &
Solution Architecture, Project Management and
17 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
processes for Operational Support and Maintenance.
(3)
PRODUCT OR SERVICE FUNCTIONAL REQUIREMENT
(a)
(b)
The bidder must ensure that the proposed solution
architecture is capable of delivering the requested
scope, and that it contains all the necessary
component technology products in support of an
industry standard Vulnerability Management
Solution.
Substantiate by providing a documented proposed
solution architecture that details all technical building
blocks in the solution in support of this requirement.
The document should contain both diagrams and
narrative so as to comprehensively describe the solution
architecture.
0=No documented solution architecture provided
1=Product documentation provided only
3=Product documentation provided together with a
solution architecture diagram depicting the solution in
the dti’s network
5=Product documentation provided together with a
solution architecture diagram depicting the solution in
the dti’s network together with a narrative explaining
how the on-premise solution will cater for the device
types, dispersed locations and centralised management
console.
Identified vulnerabilities must be automatically Substantiate by cross-referencing the proposed solution
18 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(c)
ranked according to the vulnerabilities risk. This functional specification documentation to clearly depict
should be achieved by correlating asset types and compliance with this requirement.
vulnerability data to achieve a vulnerability ranking.
0=No product documentation provided or the solution
does not support this requirement
1=Product documentation provided gives evidence of
vulnerability correlation capabilities
3=Product
documentation
gives
evidence
of
vulnerability correlation capabilities by asset and a
vulnerability ranking by severity
5=Product
documentation
gives
evidence
of
vulnerability correlation capabilities by asset with a
calculated vulnerability ranking that can be configured
per asset and vulnerability type
The solution must provide possible vulnerability Substantiate by cross-referencing the proposed solution
remediation information by combining vulnerability functional specification documentation to clearly depict
type, vulnerability severity, and asset criticality compliance with this requirement.
information to quickly prioritise and address
violations and vulnerabilities on systems and 0=No product documentation provided or the solution
devices.
does not support this requirement
1= Product documentation gives evidence of
19 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(d)
The solution must provide an audit trail of
vulnerability scans by generating conclusive
evidence of: expected and actual scan results, assets
not scanned, failed scans, and new assets
discovered that are not being scanned.
vulnerability correlation capabilities by asset and a
vulnerability ranking by severity only
3=Product documentation gives evidence of the
capability to provide remediation information based on
either asset type or vulnerability severity
5= Product documentation gives evidence of the
capability to provide remediation information based on
both asset type and vulnerability severity
Substantiate by cross-referencing the proposed solution
functional specification documentation to clearly depict
compliance with this requirement. If available, the
bidder should provide samples of such audit trails as
part of their submission.
0= No sample audit trails provided or the solution does
not support this requirement
1= Sample audit trails provided but these do not cover
all audit trail types requested
3= Sample audit trails cover actual scan results, failed
scans and new assets discovered as a minimum
5= Sample audit trails cover expected and actual scan
20 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(e)
(f)
Provide an agentless network based scanning
solution which can efficiently scan networks to
identify assets, and then fingerprint them to
determine their operating system and any
vulnerabilities they may have.
results, failed scans, assets not scanned, and new assets
discovered
Substantiate by cross-referencing the proposed solution
functional specification documentation to clearly depict
compliance with this requirement. If available, the
bidder should provide samples of such a fingerprint as
part of their submission.
0= No product documentation provided or the solution
does not support this requirement
1= Product documentation provided gives evidence of
the ability to perform agentless network scanning only
3= Product documentation provided gives evidence of
ability to perform agentless network scanning,
fingerprinting of assets, and provision of vulnerability
information
5= Product documentation provided gives evidence of
the full capability, and sample scans or fingerprint
results provided in substantiation of the capability
The proposed solution should provide network asset Substantiate by cross-referencing the proposed solution
discovery across the entire IP network. After assets functional specification documentation to clearly depict
21 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(g)
have been discovered, the tool must allow for compliance with this requirement.
specific assets to be selected for vulnerability
assessment scans.
0= No cross-references to product documentation
provided or the solution does not support this
requirement
3= Product documentation gives evidence of IP based
network auto-discovery capabilities only
5= Product documentation shows network auto
discovery capabilities and the ability to include
discovered IP based assets in assessments scans
The solution must support the ability to manage Substantiate by cross-referencing the proposed solution
multiple scanners that are geographically displaced functional specification documentation to clearly depict
if required by the dti.
compliance with this requirement.
0= No product documentation provided or the solution
does not support this requirement
3= Product documentation shows that agent based and
agentless scanners can be deployed across the wide
area network only
4= Product documentation shows that agent based and
agentless scanners can be both deployed and managed
22 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(h)
across the wide area network
5= Product documentation shows that agent based and
agentless scanners can be both deployed and managed
across the wide area network, and that wide area
network bandwidth limitations or constraints have been
specified for agent based scanners
The proposed solution must provide complete Substantiate by cross-referencing the proposed solution
visibility of and reporting on identified functional specification documentation to clearly depict
vulnerabilities through a single management compliance with this requirement. Bidders must ensure
console across a Wide Area Network (WAN).
that their proposed solution architecture (7.2.3.a)
clearly depicts WAN components in the design.
0=No product documentation provided or the solution
does not support this functionality
1=Product documentation provided only showing
support of a centralised management console
3=Product documentation provided together with a
solution
architecture
diagram
depicting
the
management console in the dti’s network (local and
wide area)
5= Product documentation provided together with a
23 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(i)
(j)
solution
architecture
diagram
depicting
the
management console in the dti’s network (local and
wide area), and documentation contains details of how
vulnerability reporting is provided for local and
remote/wide-area assets
The proposed solution must be able to perform Substantiate by cross-referencing the proposed solution
authenticated and unauthenticated checks against functional specification documentation to clearly depict
identified assets.
compliance with this requirement.
0= No product documentation provided or solution does
not support this functionality
3= Product documentation provided gives evidence of
support for either authenticated or unauthenticated
checks
5= Product documentation provided gives evidence of
support for both authenticated and unauthenticated
checks
The applicable product must automatically update Substantiate by cross-referencing the proposed solution
the vulnerability assessment library (library of tests functional specification documentation to clearly depict
that can be performed) every 24 hours.
compliance with this requirement.
24 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(k)
(l)
0= No product documentation provided or product does
not support this functionality
3= Product documentation provided gives evidence of
support for automated vulnerability library updates
(period unspecified or un-configurable)
5= Product documentation provided gives evidence of
support for automated vulnerability library updates
(period of 24 hours specified or configurable)
The solution must provide reports on any new Substantiate by cross-referencing the proposed solution
vulnerabilities added to the vulnerability assessment functional specification documentation to clearly depict
library (refer 7.2.3.j above) and when they were first compliance with this requirement.
utilised in asset vulnerability scans.
0= No product documentation provided or product does
not support this functionality
3= Product documentation provided gives evidence of a
report listing new vulnerabilities added since the last
report
5= Product documentation provided gives evidence of a
report listing new vulnerabilities added since the last
report and when these were last used in scans
The product must support risk-based scoring metrics Substantiate by cross-referencing the proposed solution
25 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
per asset being scanned.
functional specification documentation to clearly depict
compliance with this requirement.
0= No product documentation provided or risk-based
scoring per asset not supported
5= Product documentation provided gives evidence of
support for risk-based scoring per assets
(m) The product must support asset management based Substantiate by cross-referencing the proposed solution
on attributes of IPv4 addresses as well as IPv6 functional specification documentation to clearly depict
addresses as follows:
compliance with this requirement.




Displaying of IPv4/6 address;
Sorting of assets based on IPv4/6 address;
Addition of IPv4/6 address as part of properties;
Searching using IPv4/6 address.
0= No product documentation provided or product does
not support this functionality
1= Product documentation provided gives evidence of
support for both IPv4 support only
3= Product documentation provided gives evidence of
support for either IPv4 or IPv6 with the ability to search,
sort and add properties per asset
5= Product documentation provided gives evidence of
support for both IPv4 and IPv6 with the ability to search,
26 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(n)
(o)
sort and add properties per asset
The product must allow Scan Administrators to save Substantiate by cross-referencing the proposed solution
selected checks as vulnerability scan sets and re-use functional specification documentation to clearly depict
the same set in other scan configurations and compliance with this requirement.
reports.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The solution must provide for predefined Substantiate by cross-referencing the proposed solution
vulnerability sets based on popular compliance functional specification documentation to clearly depict
standards.
compliance with this requirement.
0= No product documentation provided or proposed
product does not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
27 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(p)
(q)
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The proposed solution supports secure non- Substantiate by cross-referencing the proposed solution
reversible encryption storage of credentials for functional specification documentation to clearly depict
systems, for use in authenticated scans.
compliance with this requirement.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The product uses a customisable system to track Substantiate support of this requirement by detailing
individual assets through IP changes and office the method used within the solution to enable this
moves. Assets must be able to be tracked with a functional requirement, as well as the tracking methods
combination of the following tracking methods:
supported. In addition, details as to the customisability
of the functionality should be provided.

IP Address;
28 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)



(r)
Host name;
DNS name;
MAC address
0= No product documentation provided or product does
not support this functionality
1= As per substantiating evidence asset attributes
include no more than two of the tracking methods
required
3= Substantiating evidence shows asset attribute types
support all four of the methods listed, and that changes
in any of the four attribute types are tracked and
viewable in the asset’s history
5= Substantiating evidence shows asset attribute types
support all four of the methods listed, that changes in
any of the four attribute types are tracked and viewable
in the asset’s history, and that additional customised
attributes can be included per asset
The solution must provide pre-built scan templates Substantiate by cross-referencing the proposed solution
that cover common vulnerability checks as functional specification documentation to clearly depict
prescribed by OWASP, PCIDSS, and CVE.
compliance with this requirement.
0= No product documentation provided or product does
not support this functionality
29 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(s)
1= Product documentation supports the ability to build
pre-configured scans based on common vulnerabilities
3= Product documentation supports the ability to build
pre-configured scans based on common vulnerabilities
and that these support at least one of the listed industry
standards
5= Product documentation supports the ability to build
pre-configured scans based on common vulnerabilities
and that these support all of the listed industry
standards
The proposed product solution must support the Substantiate by cross-referencing the proposed solution
following standards:
functional specification documentation to clearly depict
compliance with this requirement.
 Open Vulnerability and Assessment Language
(OVAL),
0= No product documentation provided or none of the
 Common Vulnerability Scoring System (CVSS),
listed standards supported
 Common Vulnerabilities and Exposures (CVE),
1= Product documentation supports for at least two of
 Common Platform Enumeration (CPE);
the standards listed
 Common Configuration Enumeration (CCE).
3= Product documentation supports for at least three of
the standards listed
5= Product documentation supports for all of the
30 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(t)
(u)
standards listed
The solution must allow for the creation of parallel Substantiate support of this requirement by detailing
scans with each scan having its own unique the method used within the solution to enable this
schedule and settings to map correctly to the dti’s functional requirement.
vulnerability assessment requirements.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The proposed product must facilitate automatic Substantiate support of this requirement by detailing
asset discovery using different discovery techniques the method used for automatic asset discovery, as well
(e.g. switch ARP Tables, IP scan, ICMP ping).
as the techniques supported.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
31 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(v)
(w)
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The proposed solution must be able to fingerprint Substantiate support of this requirement by providing
different operating systems (e.g. Microsoft product specifications that list the operating systems
Windows, Linux)
and version numbers that can be fingerprinted by the
proposed solution.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The proposed solution must support the Substantiate support of this requirement by providing
identification of applications installed on assets and product specifications that list the applications installed
scan the applications for vulnerabilities. The types of on assets that can be scanned by the proposed solution.
applications can include Java and related products,
32 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
Adobe and related products, SAP, JBoss and related
products, Apache and related products, Checkpoint
Solutions, Linux / Open source solution (i.e.
IPTables, bind) and Microsoft products.
(x)
0= No product documentation provided or product does
not support this functionality
1= The product documentation provided shows
evidence of support for identification of applications
installed on assets only
3= The product documentation provided shows
evidence of support for application identification but
not for all the application types listed
5= The product documentation provided shows
evidence of support for application identification for all
the application types listed
The proposed solution must support the Substantiate support of this requirement by providing
identification of hardware assets and be able to scan product specifications that list the assets/devices that
these for vulnerabilities. Types of assets can include: the proposed solution is able to scan.
network switches, SAN controllers, firewalls, IDS/IPS
devices, and printers.
0= No product documentation provided or product does
not support this functionality
1= The product documentation provided shows
evidence of support for identification of hardware assets
only
3= The product documentation provided shows
33 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(y)
(z)
evidence of support for hardware asset identification
and vulnerability scanning but supported assets are not
listed
5= The product documentation provided shows
evidence of support for hardware asset identification
and vulnerability scanning, and the supported assets
listed include those as per the requirement
The Vulnerability Management product solution In substantiation of this requirement the product
must provide detailed scan progress information technical specification(s) or component specification
within the management console.
provided must provide evidence of how this is
supported.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
The proposed solution must support the writing of Substantiate by providing details on the method and
34 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
custom scripts & scans to manage proprietary and supported scripting and scanning
legacy systems.
proposed to support this requirement.
toolsets/API’s
0= No product documentation provided or product does
not support this functionality
3= Functional requirement and support of legacy system
integration can be achieved through customisation of
the product based on the substantiating evidence
provided
5= Functional requirement and support of legacy system
integration is provided out of the box through the
product scripting, toolsets and API’s, and documentation
provided gives evidence of this
(aa) The ability to perform targeted scans (i.e. checks for Substantiate support of this requirement by detailing
a specific set of vulnerabilities) must be supported the method used to perform targeted/selective
by the solution.
vulnerability scans.
0= No method documentation provided or product does
not support this functionality
3= Method detailed supports the ability to select specific
vulnerabilities from a presented list of vulnerabilities
35 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
and apply this in a scan only to all assets
5= Method detailed supports the ability to select specific
vulnerabilities from a presented list of vulnerabilities
and apply this in a scan to selected assets
Substantiate support of this requirement by detailing
the method used within the solution to enable this
functional requirement, as well as list the web server
applications/environments supported.
(bb) The proposed product solution must provide for OS
and service-level scanning for web servers with
vulnerability
scripts
designed
to
detect
vulnerabilities in web server applications (such as
Microsoft Internet Information Server, Apache HTTP
Daemon, Apache Tomcat, JBoss)
0= No method provided or product does not support
this functionality
2= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating method provided, but no
supported web server applications listed
4= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating method provided, and
supported web server applications listed
5= Functional requirement is provided out of the box
with the product, and documentation provided gives
36 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
evidence of this. Supported web server applications
also provided
(cc) The product solution must provide the functionality Provide evidence of support of this requirement by
to specify the type of credentials to be used during confirming that the functionality is supported by the
scanning, either by IP address, DNS name, NETBIOS proposed product, provide the product functional
name, or with a default set of credentials.
specification wherein this is confirmed, and list the
methods that are supported based on the list provided.
0= No supporting evidence provided or product does
not support this functionality
3= Product documentation in support of functionality
provided only
5= Product documentation in support of functionality
provided, and supported methods listed
(dd) The product solution must be able to discover IPv6 Substantiate by cross-referencing the proposed solution
targets using ‘neighbour discovery’ and ‘ICMPv6’.
functional specification documentation to clearly depict
compliance with this requirement.
0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
37 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and documentation gives evidence of
this
(ee) The product solution must support the following Substantiate by cross-referencing the proposed solution
methods for acquiring IPV6 targets:
technical specification documentation to clearly depict
which methods are supported.
 DNS name
 IP Address (Individual IP, Range, CIDR format)
0= No product documentation provided or product does
 NETBIOS name
not support this functionality
 Import of IPv6 targets through text file
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, methods listed are supported, and
documentation provided gives evidence of this
(ff) The product solution must support the following Substantiate by cross-referencing the proposed solution
IPv6 formats:
technical specification documentation to clearly depict
which formats are supported.
 Long format (
2000:0000:fce8:abcd:0000:0000:0000:0084)
38 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)


0= No product documentation provided or product does
not support this functionality
3= Functional requirement can be achieved through
configuration and/or customisation of the product

based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, formats listed are supported, and
documentation provided gives evidence of this
(gg) The proposed solution must provide role-based Substantiate by cross-referencing the proposed solution
access that segregates global configuration from functional specification documentation to clearly depict
daily scan activities.
compliance with this requirement.
Short format (::1, 2000::41)
Mapped Format
(2000:0000:fce8:abcd:0000:0000.0.0.0.132)
Literal Format (2000--41.ipv6-literal.net)
0= No product documentation provided or product does
not support this functionality
3= Segregation of duties (global configuration from daily
scan activities) is achieved through rights assignments
per user only
5= Segregation of duties (global configuration from daily
scan activities) is achieved through assignment of a user
to a role based access group
(hh) The product solution must cater for administrative Provide evidence of support of this requirement by
39 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
groups and privileged access that allows segregation confirming that the functionality is supported by the
of users by asset groups or scan activities
proposed product, provide the product functional
specification wherein this is confirmed, and detail the
process used to enable this.
(ii)
0= No supporting evidence provided or product does
not support this functionality
3= Rights assignments by administrative group allows
for either segregation by asset group or scan activities
5= Rights assignments by administrative group allows
for segregation by asset group and scan activities
The proposed solution must provide an unalterable Substantiate by cross-referencing the proposed solution
audit trail of user access & activities performed functional specification documentation to clearly depict
within the tool.
compliance with this requirement, and provide details of
how the integrity of the audit trail is assured.
0= No supporting evidence provided or product does
not support this functionality
3= As per evidence provided user access and activity
audit trails are provided and can only be altered by
system administrators
40 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
5= As per evidence provided user access and activity
audit trails are provided and cannot be altered by any
system user including administrators
(jj) The management console must be web based and Substantiate by cross-referencing the proposed solution
support the following browsers:
technical specification documentation, and clearly
depict which browsers are supported.
 Internet Explorer 8 or later,
 Firefox 3.6 or later
0= No supporting evidence provided
 Google Chrome
3= All listed browsers are supported but versions not
specified or not all versions supported
5= All listed browsers and versions are supported
(kk) The management console tool provided must Substantiate by cross-referencing the proposed solution
provide vulnerability and threat / risk dashboards functional specification documentation to clearly depict
with drill down capabilities.
compliance with this requirement.
0= No product documentation provided or product does
not support this functionality
3= As per product documentation provided the
management console supports the display of
vulnerability and threat/risk dashboards only
5= As per product documentation provided the
41 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
management console supports the display of
vulnerability and threat/risk dashboards with drill-down
capabilities
(ll) The dashboards provided in the management Substantiate by cross-referencing the proposed solution
console must include score-trending to track the functional specification documentation to clearly depict
organisation’s vulnerability mitigation progress over compliance with this requirement.
time as an executive management tracking tool.
0= No product documentation provided or product does
not support this functionality
3= As per product documentation provided the
management console supports an organisational
vulnerability score profile at a point in time only
5= As per product documentation provided the
management
console
supports
organisational
vulnerability profile trending relative to historical
tracking
(mm) The executive management tracking functionality Substantiate by cross-referencing the proposed solution
must include dashboards that allow for summary functional specification documentation to clearly depict
measurements of the organisation’s overall security compliance with this requirement, and providing snaphealth, as well as short and long-term trend analysis shots of sample dashboard depicting this information.
with regards to vulnerability detection and
42 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
mitigation.
0= No product documentation provided or product does
not support this functionality
3= As per product documentation and samples provided
the dashboards support an organisational security
health score relative to a predefined set of vulnerability
factors
5= As per product documentation and samples provided
the dashboards support an organisational security
health score relative to a predefined set of vulnerability
factors, as well as trend tracking relative to vulnerability
detection and remediation performed in the past n
periods
(nn) The management console must provide flexible Substantiate by cross-referencing the proposed solution
reports that categorise data by asset, network, risk / functional specification documentation to clearly depict
threat, or vulnerability
compliance with this requirement, and providing sample
reports depicting this information.
0= No product documentation provided or product does
not support flexible reporting
3= Flexible reporting supported for at least two of four
categorisation factors listed
43 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
5= Flexible reporting supported for all four of the
categorisation factors listed
(oo) The management console must provide detailed Substantiate by cross-referencing the proposed solution
reports that rank vulnerabilities by risk type and functional specification documentation to clearly depict
asset.
compliance with this requirement, and providing sample
reports depicting this information.
0= No product documentation or sample reports
provided, or product does not support this requirement
3= Detailed reports support either ranking by asset OR
by risk type
5= Detailed reports support ranking by asset and risk
type
(pp) The proposed product solution must be able to Substantiate by providing details of how such reports
provide an asset-centric report, i.e. according to can be produced, and also provide sample reports
how business units are organised, rather than scan- depicting this information.
centric or network-centric reports
0= No details on how reports are produced or sample
reports provided, or product does not support this
requirement
3= Functional requirement can be achieved through
44 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
configuration and/or customisation of the product
based on the substantiating evidence and samples
provided
5= Functional requirement is provided out of the box
with the product, and documentation/samples provided
give evidence of this
(qq) The management console reporting tool must Substantiate by cross-referencing the proposed solution
support the use of filters to select and organise functional specification documentation to clearly depict
results in reports, including the use of IPv6 as a compliance with this requirement.
filter.
0= No product documentation provided or product does
not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, IPv6 is supported, and documentation
provided gives evidence of this
(rr) The reports provided must allow for reporting Substantiate by providing details of how such reports
options that categorise data by platform, business can be produced, and also provide sample reports
unit, geography, or IP range to deliver insight into depicting this information.
45 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
policy violations, vulnerabilities,
actions, and changing risk profiles.
remediation
0= No details on how reports are produced or sample
reports provided, or product does not support this
requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence and samples
provided
5= Functional requirement is provided out of the box
with the product, formats listed are supported, and
documentation/samples provided gives evidence of this
(ss) The management console reporting tool must Substantiate by cross-referencing the proposed solution
facilitate report generation for scans even while a functional specification documentation to clearly depict
scan is still running.
compliance with this requirement.
0= No product documentation provided or product does
not support this requirement
3= Proposed product solution only supports reporting
on completed scans
5= Proposed product solution supports reporting on
scans while running
46 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(tt)
The vulnerabilities identified in the reports
generated by the proposed tool must provide links
to detailed descriptions of identified vulnerabilities;
i.e. each vulnerability must be correlated with
standard references such as CVE or SANS.
Substantiate by detailing how this functionality is
provided within the tool, and how links to vulnerability
types are maintained.
0= No details provided on how this functionality is
maintained in the tool, or the product does not support
this requirement
3= Based on evidence provided the functional
requirement can only be achieved through manual
configuration and/or customisation of the product to
link vulnerability descriptions from authoritative sources
5= Based on evidence provided the functional
requirement can be achieved out-of-the-box through
product provided links to authoritative sources which
are automatically updated as/when they are changed by
the standards authority
(uu) The detailed vulnerability descriptions linked to the Substantiate by detailing how this functionality is
reports must include recommended steps for provided within the tool, and how links to
remediation and – where applicable - all knowledgebase(s) are maintained.
recommendations must be sourced from the
scanned
asset
manufacturer’s
online 0= No details provided on how this functionality is
47 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
knowledgebase with a link provided to the maintained in the tool, or the product does not support
appropriate article.
this requirement
3= Functional requirement can only be achieved through
manual configuration and/or customisation of the
product to link vulnerability remediation steps from
authoritative sources
5= Functional requirement can be achieved out-of-thebox through product-provided links to authoritative
sources for remediation steps which are automatically
updated as/when they are changed at the source
(vv) The recommended remediation steps local source Substantiate by detailing how this functionality is
database must support modification to enable provided within the tool, and how customised
customised
remediation
actions
or remediation steps are maintained.
recommendations.
0= No details provided on how this functionality is
maintained in the tool, or the product does not support
this requirement
1= Remediation steps exist based on the product based
knowledge base but cannot be added to or customised
according to the organisation’s needs
5= Remediation steps exist based on the product based
knowledge base and can be added to or customised
48 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
according to the organisation’s needs
(ww) The reporting component within the proposed Substantiate by cross-referencing the proposed solution
product solution must support custom reports that functional specification documentation to clearly depict
are easily configurable using a “wizard-style” setup. compliance with this requirement.
0= No details provided on how this functionality is
maintained in the tool, or the product does not support
this requirement
3= As evident in the product documentation, default
reports exist within the product but can only be added
to or customised by specific intervention by the product
supplier or vendor
5= Report customisation is possible from within the
management console using a “wizard style” report
tool/setup as is supported by the product
documentation provided
(xx) Generated reports must be able to be scheduled to Substantiate by cross-referencing the proposed solution
occur at the convenience of the administrator and functional specification documentation to clearly depict
mailed to specific end users.
compliance with this requirement.
0= No details provided on how this functionality is
49 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
supported in the tool, or the product does not support
this requirement
1= As evident in the product documentation, reports can
only be run manually by an operator or user utilising the
management console
5= Automatic scheduled report generation and e-mailing
is possible from within the management console as is
supported by the product documentation provided
(yy) It must be possible to include vulnerability Substantiate by cross-referencing the proposed solution
assessment data from multiple scans over a specific functional specification documentation to clearly depict
timeframe in generated reports.
compliance with this requirement, and detail how the
selection of these criteria is achieved.
0= No details provided on how this functionality is
maintained in the tool, or the product does not support
this requirement
3= As evident in the product documentation, default
reports exist within the product but flexibility in terms of
duration or reporting span customisation can only be
achieved by specific intervention from the product
supplier or vendor
50 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
5= Setting of report timescale and span of data is
possible by specifying this within the management
console, and this is supported by the product
documentation provided
(zz) The proposed product solution must allow for the In substantiation of this requirement the product
modification of vulnerability scoring metrics so as to technical, functional or component specification(s)
align vulnerability threat level reporting to specific provided must provide evidence of how this is
business targets and objectives.
supported.
0= No details provided on how this functionality is
maintained in the tool, or the product does not support
this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
(aaa) The proposed solution must provide built-in In substantiation of this requirement the product
capabilities that support the assigning of selected technical, functional or component specification(s)
vulnerabilities to specific employees, as well the provided must provide evidence of how this is
51 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
ability to track remediation activities performed by supported.
the assignee based on specific scanned asset
information.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
(bbb) The product solution must facilitate secure access to In substantiation of this requirement the product
the vulnerability and scan results database to allow technical, functional or component specification(s)
for data mining of the detailed results by an external provided must provide evidence of how this is
tool.
supported.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
52 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
(ccc) The tool is able to provide an “attack potential Substantiate by providing a cross reference to an
rating” based on Evaluation Assurance Level (EAL).
attached product specification that clearly depicts
compliance with this requirement. The tool itself is not
meant to be judged using EAL, but rather to provide an
estimate EAL rating based on the scan results per asset.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
(4)
PRODUCT PERFORMANCE REQUIREMENTS
(a)
A typical scan should have minimal impact on the Substantiate support of this requirement by detailing
53 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
network, generally not exceeding 150 Kbps of traffic the parameters associated with a standard network
on the network per scan.
vulnerability scan, and confirm the total bandwidth
requirement of such a scan.
(b)
0= No confirmation provided that the product meets
these requirements or the product does not support this
requirement
3= The respondent has provided written confirmation
that their proposed product solution supports this
requirement, but no product documentation was
provided in substantiation of this claim
5= Confirmation in the form of product documentation
provided that the proposed product solution supports
this requirement
The product must allow for the tuning of scan Substantiate by cross-referencing the proposed solution
performance to tailor the amount of bandwidth functional specification documentation to clearly depict
consumed on the target network
compliance with this requirement.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
54 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
(c)
(d)
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
Priority scanning must be catered for by allowing Substantiate by cross-referencing the proposed solution
important scans to run at full speed while throttling functional specification documentation to clearly depict
other scans to run at ½ or ¼ speeds.
compliance with this requirement.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
The capability must exist to allow for scan exclusions Substantiate by cross-referencing the proposed solution
to be specified, thereby preventing critical systems functional specification documentation to clearly depict
55 of 80
CONFIDENTIAL
TECHNICAL FUNCTIONALITY REQUIREMENTS
Substantiating evidence and evaluation criteria
(used to evaluate bid)
Substantiation
reference
(to be completed by
bidder; If applicable
provide a unique
reference to locate
substantiating evidence
in the bid response Annex
A.7)
from being scanned.
compliance with this requirement.
0= No product documentation provided on how this
functionality is supported in the tool, or the product
does not support this requirement
3= Functional requirement can be achieved through
configuration and/or customisation of the product
based on the substantiating evidence provided
5= Functional requirement is provided out of the box
with the product, and this is supported by the product
documentation provided
NOT APPLICABLE FOR THIS BID
56 of 80
CONFIDENTIAL
(1)
The successful supplier will be bound by Government Procurement: General Conditions of
Contract (GCC) as well as this Special Conditions of Contract (SCC), which will form part of
the signed contract with the successful Supplier. However, SITA reserves the right to include
or waive the condition in the signed contract.
(2)
SITA reserves the right to –
(a)
Negotiate the conditions, or
(b)
Automatically disqualify a bidder for not accepting these conditions.
(3)
In the event that the bidder qualifies the proposal with own conditions, and does not
specifically withdraw such own conditions when called upon to do so, SITA will invoke the
rights reserved in accordance with subsection 9.1(2) above.
(4)
The bidder must complete the declaration of acceptance as per section 9.3 below by
marking with an “X” either “ACCEPT ALL” or “DO NOT ACCEPT ALL”, failing which the
declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.
(1)
CONTRACTING CONDITIONS
(2)
(a)
Formal Contract. The Supplier must enter into a formal written Contract (Agreement)
with the dti.
(b)
Right of Award. SITA reserves the right to award the contract for required goods or
services to multiple Suppliers.
(c)
Right to Audit. SITA reserves the right, before entering into a contract, to conduct or
commission an external service provider to conduct a financial audit or probity to
ascertain whether a qualifying bidder has the financial wherewithal or technical
capability to provide the goods and services as required by this tender.
(d)
Sub-Contracting. Due to the anticipated value of this bid, it is expected that no
external organisations will be sub-contracted by the primary bidder to deliver the
scope of work, and that individuals that deliver the scope on behalf of the successful
bidder will either be permanent employees of the bidder (as defined in the Labour
Relations Act) or individuals that are fixed duration direct contractors.
DELIVERY ADDRESS. The supplier must deliver the required products or services at
(a)
(3)
The physical locations as specified in section 11.1.
SCOPE OF WORK AND DELIVERY SCHEDULE
(a)
The Supplier is responsible to perform the work as outlined in the following Work
Breakdown Structure (WBS):
WBS Statement of Work
Delivery Timeframe
57 of 80
CONFIDENTIAL
WBS Statement of Work
1.
Design, install and implement the Vulnerability
Management Solution (from date of appointment
of the Supplier)
2.
On-site maintenance and support of the solution
(4)
Delivery Timeframe
3 consecutive calendar months or
13 consecutive calendar weeks or
93 consecutive calendar days
36 consecutive calendar months
(b)
Commencement of work is counted from the date of the appointment of the Supplier
(c)
Commencement of the period of Maintenance and Support is from the date of the
sign-off of the implementation phase of the project or the 3 consecutive months has
elapsed, whichever comes first.
SERVICES AND PERFORMANCE METRICS
(a)
The Supplier is responsible to provide the following services as specified in the Service
Breakdown Structure (SBS):
SBS
1.
Service Element
Call Centre Helpdesk
Service Grade
Normal
Service Level
08h00 to 16h30 Monday to Friday
2.
Incident Response
Normal
Maximum 4 hours
3.
Incident Restore
Normal
Maximum 24 hours
(b)
SBS
4.
5.
Service Element
Vulnerability Management
system patching
Upgrade of Solution to latest
version as released
(c)
SBS
6.
(5)
Service Grade
N/A
Normal
Service Level
In accordance with product
manufacturer’s recommendation
Within 14 days of version release.
The supplier is required to adhere to the following specific quality of service
conditions:
Service Element
Network Bandwidth
Utilisation
Service Grade
Per segment
Service Level
Maximum 150kb/s
SCOPE OF TECHNICAL SOLUTION DEVELOPMENT
(a)
(6)
The Supplier is required to adhere to the following service specific preventative
maintenance conditions:
The bidder shall be able to support the centralised solution required by the dti, as well
as the necessary decentralised agent based and agentless collectors deployed across
the dti’s wide area network.
SUPPLIER PERFORMANCE REPORTING
(a)
The Supplier will report on a weekly basis to the dti Project Manager during the design,
installation and implementation phase of the project; weekly written reports are to be
presented to the Project Manager on the progress of the preceding week.
58 of 80
CONFIDENTIAL
(b)
(c)
(7)
The Supplier will report on a monthly basis to the project’s stakeholders during the
design, installation and implementation phase of the project.
The Supplier is required to generate regular reports as outputs during the maintenance
and support cycle within the following service levels (the report type will drive the
service level agreement; definition of the content of each report type will be finalised
at the time of concluding the contracted service level agreement):
(i)
Daily reporting (e.g. total vulnerabilities identified, total correlated
vulnerabilities, total incidents raised by severity) - report provided by 9am on the
day after the date under report
(ii)
Weekly reporting (e.g. summary of week's daily reports ranked by department,
asset, risk, etc.) - report provided by 9am on the Monday morning after the week
under report
(iii)
Monthly executive dashboard reporting (e.g. the dti vulnerability trend
reporting, organisational vulnerability health, etc.) - provided by the 5th calendar
day of each month after the month under report
CERTIFICATION, EXPERTISE AND QUALIFICATION
(a)
The Supplier represents that,
(i)
it has the necessary expertise, skill, qualifications and ability to undertake the
work required in terms of the Statement of Work or Service Definition and;
(ii)
it is committed to provide the Products or Services; and
(iii)
perform all obligations detailed herein without any interruption to the Customer.
(b)
The Supplier must provide the service in a good and workmanlike manner and in
accordance with the practices and high professional standards used in well-managed
operations performing services similar to the Services;
(c)
The Supplier must perform the Services in the most cost-effective manner consistent
with the level of quality and performance as defined in Statement of Work or Service
Definition;
(d)
The bidder's certifies that its key staff assigned to design, implement, maintain and
support the solution in terms of this bid are certified by the proposed product
manufacturer to do so, and have a minimum of 3 years’ experience in implementing
Vulnerability Management solutions. To this end, SITA and/or the dti reserve the right
to request of the bidder a full list of all assigned resources servicing the department in
the design, implementation, maintenance and support, listing:
(i)
Each person's qualifications (copies of qualification may be requested if the
department deems this necessary)
(ii)
Their number of years' experience in the ICT Security Industry
(iii)
Their number of years' experience in implementing, maintaining or supporting
the Supplier’s Vulnerability Management solution
(iv)
An indication of whether they are permanent or contracted employees
59 of 80
CONFIDENTIAL
(8)
(9)
LOGISTICAL CONDITIONS
(a)
Hours of work. The supplier must ensure that staff involved in the design and
implementation of the solution are available on site between 09h00 and 15h00
Monday to Fridays. Maintenance and support resources are required on site between
08h00 and 16h30 Monday to Friday.
(b)
In the event that the dti grants the Supplier permission to access the dti's environment
including hardware, software, internet facilities, data, telecommunication facilities
and/or network facilities remotely, the Supplier must adhere to the dti's relevant
policies and procedures (which policy and procedures are available to the Supplier on
request) or, in the absence of such policy and procedures, in terms of best industry
practice.
(c)
Tools of Trade. All computers and workstations required by staff to perform their
duties for the term of this agreement, together with licensed software must be
provided by the Supplier.
(d)
On-site and Remote Support. The Supplier must provide all support services on site.
Escalations to 3rd level support may be made by on-site resources but accountability
remains with the on-site resources.
(e)
Support and Help Desk. The Supplier must provide Helpdesk services through a
telephonic or electronic mechanism to allow the dti to log requests for support of the
solution. Maintenance and support efforts shall be coordinated with the dti and must
utilise the dti’s change management/control procedures.
SKILLS TRANSFER AND TRAINING
(a)
The Supplier must provide certified training on the proposed solution or product to
management and technical staff to enable the dti to operate and support the product
or solution.
(b)
The nature of the training must be formal, and facilitated, hands-on training.
(10) REGULATORY, QUALITY AND STANDARDS
(a)
Regulatory, quality or standard requirements were stipulated within the mandatory or
non-mandatory sections of this bid.
(11) PERSONNEL SECURITY CLEARANCE
(a)
The Supplier personnel who are required to work with GOVERNMENT CLASSIFIED
information or access government RESTRICTED areas must be a South African Citizen
and at the expense of the Supplier may be security vetted (pre-employment screening,
criminal record screening and credit screening).
(b)
The Supplier must ensure that the security clearances of all personnel involved in the
Contract remains valid for the period of the contract.
(12) CONFIDENTIALITY AND NON-DISCLOSURE CONDITIONS
(a)
The Supplier, including its management and staff, must before commencement of the
Contract, sign a non-disclosure agreement regarding Confidential Information.
60 of 80
CONFIDENTIAL
(b)
Confidential Information means any information or data, irrespective of the form or
medium in which it may be stored, which is not in the public domain and which
becomes available or accessible to a Party as a consequence of this Contract, including
information or data which is prohibited from disclosure by virtue of:
(i)
the Promotion of Access to Information Act, 2000 (Act no. 2 of 2000);
(ii)
being clearly marked "Confidential" and which is provided by one Party to
another Party in terms of this Contract;
(iii)
being information or data, which one Party provides to another Party or to which
a Party has access because of Services provided in terms of this Contract and in
which a Party would have a reasonable expectation of confidentiality;
(iv)
being information provided by one Party to another Party in the course of
contractual or other negotiations, which could reasonably be expected to
prejudice the right of the non-disclosing Party;
(v)
being information, the disclosure of which could reasonably be expected to
endanger a life or physical security of a person;
(vi)
being technical, scientific, commercial, financial and market-related information,
know-how and trade secrets of a Party;
(vii) being financial, commercial, scientific or technical information, other than trade
secrets, of a Party, the disclosure of which would be likely to cause harm to the
commercial or financial interests of a non-disclosing Party; and
(viii) being information supplied by a Party in confidence, the disclosure of which
could reasonably be expected either to put the Party at a disadvantage in
contractual or other negotiations or to prejudice the Party in commercial
competition; or
(ix)
(c)
information the disclosure of which would be likely to prejudice or impair the
safety and security of a building, structure or system, including, but not limited
to, a computer or communication system; a means of transport; or any other
property; or a person; methods, systems, plans or procedures for the protection
of an individual in accordance with a witness protection scheme; the safety of
the public or any part of the public; or the security of property; information the
disclosure of which could reasonably be expected to cause prejudice to the
defence of the Republic; security of the Republic; or international relations of the
Republic; or plans, designs, drawings, functional and technical requirements and
specifications of a Party, but must not include information which has been made
automatically available, in terms of the Promotion of Access to Information Act,
2000; and information which a Party has a statutory or common law duty to
disclose or in respect of which there is no reasonable expectation of privacy or
confidentiality;
Notwithstanding the provisions of this Contract, no Party is entitled to disclose
Confidential Information, except where required to do so in terms of a law, without
the prior written consent of any other Party having an interest in the disclosure;
61 of 80
CONFIDENTIAL
(d)
Where a Party discloses Confidential Information which materially damages or could
materially damage another Party, the disclosing Party must submit all facts related to
the disclosure in writing to the other Party, who must submit information related to
such actual or potential material damage to be resolved as a dispute;
(e)
Parties may not, except to the extent that a Party is legally required to make a public
statement, make any public statement or issue a press release which could affect
another Party, without first submitting a written copy of the proposed public
statement or press release to the other Party and obtaining the other Party's prior
written approval for such public statement or press release, which consent must not
unreasonably be withheld.
(13) GUARANTEE AND WARRANTIES.
The Supplier warrants that:
(a)
The warranty of goods supplied under this contract remains valid for thirty-six (36)
months after the goods, or any portion thereof as the case may be, have been
delivered to and accepted at the final destination indicated in the contract;
(b)
as at Commencement Date, it has the rights, title and interest in and to the Product or
Services to deliver such Product or Services in terms of the Contract and that such
rights are free from any encumbrances whatsoever;
(c)
the Product is in good working order, free from Defects in material and workmanship,
and substantially conforms to the Specifications, for the duration of the Warranty
period;
(d)
during the Warranty period any defective item or part component of the Product be
repaired or replaced within 3 (three) days after receiving a written notice from the dti;
(e)
the Products are maintained during its Warranty Period at no expense to the dti;
(f)
the Products possess all material functions and features required for the dti’s
Operational Requirements;
(g)
the Product remains installed as per specification and requirement, and/or the Service
is continued during the term of the Contract;
(h)
all third-party warranties that the Supplier receives in connection with the Products
including the corresponding software and the benefits of all such warranties are ceded
to SITA without reducing or limiting the Supplier’s obligations under the Contract;
(i)
no actions, suits, or proceedings, pending or threatened against it or any of its third
party suppliers or sub-contractors that have a material adverse effect on the Supplier’s
ability to fulfil its obligations under the Contract exist;
(j)
SITA is notified immediately if it becomes aware of any action, suit, or proceeding,
pending or threatened to have a material adverse effect on the Supplier’s ability to
fulfil the obligations under the Contract;
(k)
any Product sold to the dti after the Commencement Date of the Contract remains
free from any lien, pledge, encumbrance or security interest;
(l)
The dti’s use of the Product and Manuals supplied in connection with the Contract
does not infringe any Intellectual Property Rights of any third party;
62 of 80
CONFIDENTIAL
(m) the information disclosed to the dti does not contain any trade secrets of any third
party, unless disclosure is permitted by such third party;
(n)
it is financially capable of fulfilling all requirements of the Contract and that the
Supplier is a validly organized entity that has the authority to enter into the Contract;
(o)
it is not prohibited by any loan, contract, financing arrangement, trade covenant, or
similar restriction from entering into the Contract;
(p)
the prices, charges and fees to the dti as contained in the Contract are at least as
favourable as those offered by the Supplier to any of its other customers that are of
the same or similar standing and situation as the dti; and
(q)
any misrepresentation by the Supplier amounts to a breach of Contract.
(14) INTELLECTUAL PROPERTY RIGHTS
(a)
The dti retains all Intellectual Property Rights in and to SITA's Intellectual Property. As
of the Effective Date, the Supplier is granted a non-exclusive license, for the continued
duration of this Contract, to perform any lawful act including the right to use, copy,
maintain, modify, enhance and create derivative works of the dti’s Intellectual
Property for the sole purpose of providing the Products or Services to the dti pursuant
to this Contract; provided that the Supplier must not be permitted to use the dti’s
Intellectual Property for the benefit of any entities other than the dti without the
written consent of the dti, which consent may be withheld in the dti’s sole and
absolute discretion. Except as otherwise requested or approved by the dti, which
approval is in the dti’s sole and absolute discretion, the Supplier must cease all use of
the dti’s Intellectual Property, at of the earliest of:
(i)
termination or expiration date of this Contract;
(ii)
the date of completion of the Services; and
(iii)
the date of rendering of the last of the Deliverables.
(b)
If so required by the dti, the Supplier must certify in writing to the dti that it has either
returned all the dti’s Intellectual Property to the dti or destroyed or deleted all other
of the dti’s Intellectual Property in its possession or under its control.
(c)
The dti, at all times, owns all Intellectual Property Rights in and to all Bespoke
Intellectual Property.
(d)
Save for the license granted in terms of this Contract, the Supplier retains all
Intellectual Property Rights in and to the Supplier’s pre-existing Intellectual Property
that is used or supplied in connection with the Products or Services.
(15) TARGETED PROCUREMENT/TRANSFORMATION
There are no specific procurement/transformation targets.
ACCEPT ALL
(1)
DO NOT
ACCEPT ALL
The bidder declares to ACCEPT ALL the Special Condition of
Contract as specified in section 9.2 above by indicating with
63 of 80
CONFIDENTIAL
ACCEPT ALL
DO NOT
ACCEPT ALL
an “X” in the “ACCEPT ALL” column, OR
(2)
The bidder declares to NOT ACCEPT ALL the Special
Conditions of Contract as specified in section 9.2 above by (a)
Indicating with an “X” in the “DO NOT ACCEPT ALL”
column, and;
(b)
Provide reason and proposal for each of the conditions
that is not accepted.
Comments by bidder:
Provide reason and proposal for each of the conditions not accepted as per the format:
Condition Reference:
Reason:
Proposal:
64 of 80
CONFIDENTIAL
QUALIFICATION NOTICE
To safeguard the integrity of the bidding process, the technical and financial
proposals should be submitted in separate sealed envelopes, as per “National
Treasury: Supply Chain Management a guide for Accounting Officers / Authorities,
2004”, section 5.9.4; therefore
All bid Pricing Schedules, as indicated in
section 10 COSTING AND PRICING, must be
submitted in a SEPARATE SEALED ENVELOPE,
failing which the bid WILL BE DISQUALIFIED.
65 of 80
CONFIDENTIAL
(1)
ALL PRICING SCHEDULES MUST BE SUBMITTED IN A SEPARATE SEALED ENVELOPE, failing
which the BID will be DISQUALIFIED.
(2)
In terms of Preferential Procurement Policy Framework Act (PPPFA), the following
preference point system is applicable to all Bids:
(a)
the 80/20 system (80% Price, 20% B-BBEE) for requirements with a Rand value below
R1million where all applicable taxes are included; or
(b)
the 90/10 system (90% Price and 10% B-BBEE) for requirements with a Rand value
above R1million where all applicable taxes are included.
(3)
Based on the budget guideline this bid will be evaluated using the PPPFA preferential points
scoring system of 90/10.
(4)
The bidder must complete the declaration of acceptance as per section 10.3 below by
marking with an “X” either “ACCEPT ALL”, or “DO NOT ACCEPT ALL”, failing which the
declaration will be regarded as “DO NOT ACCEPT ALL” and the bid will be disqualified.
(5)
Bidder will be bound by the following general costing and pricing conditions and SITA
reserves the right to negotiate the conditions or automatically disqualify the bidder for not
accepting these conditions. These conditions will form part of the Contract between SITA
and the bidder. However, SITA reserves the right to include or waive the condition in the
Contract.
(1)
The bidder must submit the Pricing Schedule(s) as prescribed in section 10.4 as well as the
relevant enclosed Standard Bidding Document SBD 3.1, 3.2 or 3.3.
(2)
SOUTH AFRICAN PRICING. The total price must be VAT inclusive and be quoted in South
African Rand (ZAR).
(3)
TOTAL PRICE
(4)
(a)
All quoted prices are the total price for the entire scope of required services and
deliverables to be provided by the bidder.
(b)
The cost of delivery, labour, S&T, overtime, etc. must be included in this bid.
(c)
All additional costs must be clearly specified.
BID EXCHANGE RATE CONDITIONS. The bidders must use the exchange rate provided below
to enable SITA to compare the prices provided by using the same exchange rate:
Foreign currency
1 US Dollar
1 Euro
1 Pound
South African Rand (ZAR) exchange rate
66 of 80
CONFIDENTIAL
ACCEPT ALL
(1)
The bidder declares to ACCEPT ALL the Costing and Pricing
conditions as specified in section 10.2 above by indicating
with an “X” in the “ACCEPT ALL” column, or
(2)
The bidder declares to NOT ACCEPT ALL the Costing and
Pricing Conditions as specified in section 10.2 above by (a)
Indicating with an “X” in the “DO NOT ACCEPT ALL”
column, and;
(b)
Provide reason and proposal for each of the condition
not accepted.
DO NOT
ACCEPT ALL
Comments by bidder:
Provide the condition reference, the reasons for not accepting the condition.
67 of 80
CONFIDENTIAL
Note:
a) Bidder must complete the pricing as per table below (or as per the attached spread sheet if applicable).
b) Line Prices are all VAT EXCLUDING, and TOTAL PRICE is VAT INCLUSIVE
(1)
PRODUCT OR SERVICE PRICING
No
Product/Service description
1.
Vulnerability Management Licensing Primary
Solution (including monitoring of 1000 assets
and all licences for year 1)*
Annual License Renewal – Primary Solution
(year 2-3)*
On-site maintenance and support (year 1-3)
SUBTOTAL (VAT Excl.)
VAT (14%)
SUBTOTAL (VAT Incl.)
2.
3.
4.
5.
6.
Total Price
(VAT excl.)
Price YEAR 1
(VAT excl.)
Price YEAR 2
(VAT excl.)
Price YEAR 3
(VAT excl.)
* Pricing to include all patches, version upgrades, knowledge base updates and vulnerability library subscriptions.
68 of 80
CONFIDENTIAL
(2)
LUMP SUM DELIVERABLE PRICING
No
Deliverable/Output Description
1.
2.
3.
4.
5.
6.
Design, installation and implementation of Vulnerability Management Solution (3 months)
Development and delivery of training manuals and material (Year 1)
On-Site skills transfer and training of the dti resources (Year 3)
SUBTOTAL (VAT Excl.)
VAT (14%)
SUBTOTAL (VAT Incl.)
(3)
BID TOTAL
No
Deliverable/Output Description
1.
2.
3.
Product and Services Pricing (from table 1)
Deliverable Pricing (from table 2)
Total Price
(VAT Excl.)
Total Price
(VAT Inclusive)
3-YEAR BID TOTAL
69 of 80
CONFIDENTIAL
(4)
RATE OF EXCHANGE PRICING INFORMATION
Provide the TOTAL BID PRICE for the duration of Contract and clearly indicate the Local Price and Foreign Price, where –
(a) Local Price means the portion of the TOTAL price that is NOT dependent on the Foreign Rate of Exchange (ROE) and;
(b)
Foreign Price means the portion of the TOTAL price that is dependent on the Foreign Rate of Exchange (ROE).
(c)
Exchange Rate means the ROE (ZA Rand vs foreign currency) as determined at time of bid.
No
Description
1.
2.
3.
4.
5.
6.
7.
LOCAL Price (ZAR)
FOREIGN Price (ZAR)
Exchange Rate
Price YEAR 1
(Vat Excl.)
Price YEAR 2
(VAT Excl.)
Price YEAR 3
(VAT Excl.)
SUBTOTAL (VAT Excl.)
VAT (14%)
TOTAL (VAT Incl.)
BID TOTAL
70 of 80
CONFIDENTIAL
SBD 3.1
PRICING SCHEDULE – FIRM PRICES
(PURCHASES)
NOTE:
ONLY FIRM PRICES WILL BE ACCEPTED. NON-FIRM PRICES (INCLUDING PRICES SUBJECT TO
RATES OF EXCHANGE VARIATIONS) WILL NOT BE CONSIDERED
IN CASES WHERE DIFFERENT DELIVERY POINTS INFLUENCE THE PRICING, A SEPARATE PRICING
SCHEDULE MUST BE SUBMITTED FOR EACH DELIVERY POINT
Name of bidder: …………………………………………………………
Bid number:
Closing Time: 11:00
Closing date:
OFFER TO BE VALID FOR ……… DAYS FROM THE CLOSING DATE OF BID.
_______________________________________________________________________________
ITEM
QUANTITY
DESCRIPTION
BID PRICE IN RSA CURRENCY
NO.
** (ALL APPLICABLE TAXES INCLUDED)
_______________________________________________________________________________
-
Required by: THE STATE INFORMATION TECHNOLOGY AGENCY SOC LTD
-
At:
…………………………………………………
…………………………………………………
-
Brand and model:
…………………………………………………
-
Country of origin:
…………………………………………………
-
Does the offer comply with the specification(s)?
*YES/NO
-
If not to specification, indicate deviation(s)
………………………………….
-
Period required for delivery
………………………………….
*Delivery: Firm/not firm
-
Delivery basis
……………………………………
Note: All delivery costs must be included in the bid price, for delivery at the prescribed destination.
** “all applicable taxes” includes value- added tax, pay as you earn, income tax, unemployment
insurance fund contributions and skills development levies.
*Delete if not applicable
71 of 80
CONFIDENTIAL
Include the schedules that that are referenced in the technical specifications sections.
The Department of Trade and Industry, 77 Meintjies Street, Sunnyside, Pretoria, Gauteng, 0002
N/A
Refer section 3.2
Refer section 3.3
Refer section 9.2
72 of 80
CONFIDENTIAL
In alphabetical order
ARP
CIO
CIS
CSD
CVE
DNS
ICMP
ICT
IDS
IP
IPS
kb/s
LDAP
MAC
OCIO
OS
OWASP
PCI
POC
PPPFA
RADIUS
RFB
RFQ
SAN
SANS
SITA
the dti
WAN
Address Resolution Protocol
Chief Information Officer
Center for Internet Security
Central Supplier Database
Common Vulnerabilities and Exposures
Domain Name Services
Internet Control Message Protocol
Information and Communication Technology
Intrusion Detection System
Internet Protocol
Intrusion Prevention System
Kilobytes per second
Lightweight Directory Access Protocol
Media Access Control
Office of the Chief Information Officer
Operating System
Open Web Application Security Project
Payment Card Industry
Proof of Concept
Preferential Procurement Policy Framework Act
Remote Authentication Dial-In User Service
Request For Bid
Request For Quote
Storage Area Network
System Administration, Networking and Security
State Information Technology Agency
The Department of Trade and Industry
Wide Area Network
73 of 80
CONFIDENTIAL
This section is reserved for the bidder to provide information related to the substantiating
evidence or comments in the format as required by the bid specification (e.g. text, graphical
representation, diagrams, statistical reports, lists, reference letters, copies of product of solution
documentation, certificates, licences, memberships, etc.).
Note: The evidence provided in this section will be used by the bid evaluation committee to
evaluate the bid. Therefore, each piece of substantiating evidence must be cross referenced to
requirements specification section.
74 of 80
CONFIDENTIAL
DECLARATION CERTIFICATE FOR LOCAL PRODUCTION AND CONTENT FOR DESIGNATED SECTORS
This Standard Bidding Document (SBD) must form part of all bids invited. It contains general information
and serves as a declaration form for local content (local production and local content are used
interchangeably).
Before completing this declaration, bidders must study the General Conditions, Definitions, Directives
applicable in respect of Local Content as prescribed in the Preferential Procurement Regulations, 2011, the
South African Bureau of Standards (SABS) approved technical specification number SATS 1286:2011 (Edition
1) and the Guidance on the Calculation of Local Content together with the Local Content Declaration
Templates [Annex C (Local Content Declaration: Summary Schedule), D (Imported Content Declaration:
Supporting Schedule to Annex C) and E (Local Content Declaration: Supporting Schedule to Annex C)].
1. General Conditions
1.1. Preferential Procurement Regulations, 2011 (Regulation 9) makes provision for the promotion of
local production and content.
1.2. Regulation 9.(1) prescribes that in the case of designated sectors, where in the award of bids local
production and content is of critical importance, such bids must be advertised with the specific
bidding condition that only locally produced goods, services or works or locally manufactured goods,
with a stipulated minimum threshold for local production and content will be considered.
1.3. Where necessary, for bids referred to in paragraph 1.2 above, a two stage bidding process may be
followed, where the first stage involves a minimum threshold for local production and content and
the second stage price and B-BBEE.
1.4. A person awarded a contract in relation to a designated sector, may not sub-contract in such a
manner that the local production and content of the overall value of the contract is reduced to below
the stipulated minimum threshold.
1.5. The local content (LC) expressed as a percentage of the bid price must be calculated in accordance
with the SABS approved technical specification number SATS 1286: 2011 as follows:
LC = [1 -
x / y] * 100
Where
x is the imported content in Rand
y is the bid bid price in Rand excluding value added tax (VAT)
Prices referred to in the determination of x must be converted to Rand (ZAR) by using the exchange
rate published by South African Reserve Bank (SARB) at 12:00 on the date of advertisement of the
bid as indicated in paragraph 4.1 below.
The SABS approved technical specification number SATS 1286:2011 is accessible on
http:/www.thedti.gov.za/industrial development/ip.jsp at no cost.
75 of 80
CONFIDENTIAL
1.6
A bid may be disqualified if –
(a) this Declaration Certificate and the Annex C (Local Content Declaration: Summary Schedule)
are not submitted as part of the bid documentation; and
(b) the bidder fails to declare that the Local Content Declaration Templates (Annex C, D and E)
have been audited and certified as correct.
2. Definitions
2.1. “bid” includes written price quotations, advertised competitive bids or proposals;
2.2. “bid price” price offered by the bidder, excluding value added tax (VAT);
2.3. “contract” means the agreement that results from the acceptance of a bid by an organ of state;
2.4. “designated sector” means a sector, sub-sector or industry that has been designated by the
Department of Trade and Industry in line with national development and industrial policies for local
production, where only locally produced services, works or goods or locally manufactured goods
meet the stipulated minimum threshold for local production and content;
2.5. “duly sign” means a Declaration Certificate for Local Content that has been signed by the Chief
Financial Officer or other legally responsible person nominated in writing by the Chief Executive, or
senior member / person with management responsibility (close corporation, partnership or
individual).
2.6. “imported content” means that portion of the bid price represented by the cost of components,
parts or materials which have been or are still to be imported (whether by the supplier or its
subcontractors) and which costs are inclusive of the costs abroad (this includes labour or intellectual
property costs), plus freight and other direct importation costs, such as landing costs, dock duties,
import duty, sales duty or other similar tax or duty at the South African port of entry;
2.7. “local content” means that portion of the bid price which is not included in the imported content,
provided that local manufacture does take place;
2.8. “stipulated minimum threshold” means that portion of local production and content as determined
by the Department of Trade and Industry; and
2.9. “sub-contract” means the primary contractor’s assigning, leasing, making out work to, or employing
another person to support such primary contractor in the execution of part of a project in terms of
the contract.
3. The stipulated minimum threshold(s) for local production and content (refer to Annex A of SATS
1286:2011) for this bid is/are as follows:
76 of 80
CONFIDENTIAL
4.
Description of services, works or goods
Stipulated minimum threshold
_______________________________
_______%
_______________________________
_______%
_______________________________
_______%
Does any portion of the services, works or goods offered have any imported content?
(Tick applicable box)
YES
4.1
NO
If yes, the rate(s) of exchange to be used in this bid to calculate the local content as prescribed in
paragraph 1.5 of the general conditions must be the rate(s) published by SARB for the specific
currency at 12:00 on the date of advertisement of the bid.
The relevant rates of exchange information is accessible on www.reservebank.co.za.
Indicate the rate(s) of exchange against the appropriate currency in the table below (refer to Annex A of
SATS 1286:2011):
Currency
US Dollar
Pound Sterling
Euro
Yen
Other
Rates of exchange
NB: Bidders must submit proof of the SARB rate (s) of exchange used.
5.
Were the Local Content Declaration Templates (Annex C, D and E) audited and certified as correct?
(Tick applicable box)
YES
NO
5.1. If yes, provide the following particulars:
(a)
(b)
(c)
(d)
Full name of auditor: ………………………………………………………
Practice number: ………………………………………………………………………..
Telephone and cell number: ……………………………………………………………….
Email address: ………………………………………………………………………..
(Documentary proof regarding the declaration will, when required, be submitted to the satisfaction
of the Accounting Officer / Accounting Authority)
77 of 80
CONFIDENTIAL
6.
Where, after the award of a bid, challenges are experienced in meeting the stipulated minimum
threshold for local content the dti must be informed accordingly in order for the dti to verify and in
consultation with the AO/AA provide directives in this regard.
LOCAL CONTENT DECLARATION
(REFER TO ANNEX B OF SATS 1286:2011)
LOCAL CONTENT DECLARATION BY CHIEF FINANCIAL OFFICER OR OTHER LEGALLY RESPONSIBLE PERSON
NOMINATED IN WRITING BY THE CHIEF EXECUTIVE OR SENIOR MEMBER/PERSON WITH MANAGEMENT
RESPONSIBILITY (CLOSE CORPORATION, PARTNERSHIP OR INDIVIDUAL)
IN RESPECT OF BID NO. .................................................................................
ISSUED BY: (Procurement Authority / Name of Institution):
.........................................................................................................................
NB
1 The obligation to complete, duly sign and submit this declaration cannot be transferred
to an
external authorized representative, auditor or any other third party acting on behalf of the bidder.
2 Guidance on the Calculation of Local Content together with Local Content Declaration Templates
(Annex C, D and E) is accessible on http://www.thedti.gov.za/industrial_development/ip.jsp. Bidders should
first complete Declaration D. After completing Declaration D, bidders should complete Declaration E and
then consolidate the information on Declaration C. Declaration C should be submitted with the bid
documentation at the closing date and time of the bid in order to substantiate the declaration made in
paragraph (c) below. Declarations D and E should be kept by the bidders for verification purposes for a
period of at least 5 years. The successful bidder is required to continuously update Declarations C, D and E
with the actual values for the duration of the contract.
I, the undersigned, …………………………….................................................... (full names),
do hereby declare, in my capacity as ……………………………………… ………..
of ...............................................................................................................(name of bidder entity), the
following:
(a) The facts contained herein are within my own personal knowledge.
(b) I have satisfied myself that:
(i)
(ii)
the goods/services/works to be delivered in terms of the above-specified bid comply with the
minimum local content requirements as specified in the bid, and as measured in terms of SATS
1286:2011; and
the declaration templates have been audited and certified to be correct.
(c) The local content percentage (%) indicated below has been calculated using the formula given in
clause 3 of SATS 1286:2011, the rates of exchange indicated in paragraph 4.1 above and the information
contained in Declaration D and E which has been consolidated in Declaration C:
78 of 80
CONFIDENTIAL
Bid price, excluding VAT (y)
R
Imported content (x), as calculated in terms of SATS 1286:2011
R
Stipulated minimum threshold for local content (paragraph 3 above)
Local content %, as calculated in terms of SATS 1286:2011
If the bid is for more than one product, the local content percentages for each product contained in
Declaration C shall be used instead of the table above.
The local content percentages for each product has been calculated using the formula given in clause 3 of
SATS 1286:2011, the rates of exchange indicated in paragraph 4.1 above and the information contained
in Declaration D and E.
(d) I accept that the Procurement Authority / Institution has the right to request that the local content be
verified in terms of the requirements of SATS 1286:2011.
(e) I understand that the awarding of the bid is dependent on the accuracy of the information furnished in
this application. I also understand that the submission of incorrect data, or data that are not verifiable as
described in SATS 1286:2011, may result in the Procurement Authority / Institution imposing any or all of
the remedies as provided for in Regulation 13 of the Preferential Procurement Regulations, 2011
promulgated under the Preferential Policy Framework Act (PPPFA), 2000 (Act No. 5 of 2000).
SIGNATURE:
DATE: ___________
WITNESS No. 1
DATE: ___________
WITNESS No. 2
DATE: ___________
END OF SBD 6.2
79 of 80
CONFIDENTIAL
LOCAL CONTENT TARGETS
The table below depicts the sectors/sub-sectors/industry goods that have been designated by the
DTI with a minimum threshold for local content.
No.
1
2
3
4
5
6
7
8
9
10
11
12
13
Sector/sub-sector/ industry
Buses (bus body)
Textiles, clothing, leather and
footwear
Power pylons
Canned/processed vegetables
Pharmaceutical products:
 OSD tender
 Family planning tender
Rolling stock
Set top boxes
Furniture products:
 Office furniture
 School furniture
 Base and mattress
Solar water heater components
Electrical and telecom cables
Valves products and actuators
Residential electricity meter:
 Prepaid electricity meters
 Post-paid electricity meters
 Smart meters
Working vessels/boats (all
types):
Components
Minimum
thresholds for
local content
Bid specification
requirements
designated by
DTI (indicate with
“X”)
SITA local
content target
(%)
X
90%
80%
100%
100%
80%
70% volumes
50% value
65%
30%
85%
100%
90%
70%
90%
70%
70%
70%
50%
60%
10%-100%
80 of 80
CONFIDENTIAL