BIDS AND AWARDS COMMITTEE FOR GOODS AND SERVICES

(BAC4G&S)

 

Supplemental Bid Bulletin No. 4

 

SUPPLY, INSTALLATION AND DELIVERY OF CYBERSECURITY MANAGEMENT SYSTEM PROJECT

 

Bid Reference No.:  BAC4G&S-2018-002

 

After considering the queries, clarifications, recommendations and suggestions, the BAC4G&S hereby decides to include, revise, amend, delete and/or adapt the following provisions:

ITEM NO. QUERY BAC4G&S RESPONSE
1 The foreign bidder has a Philippine branch. Would the Class A docs of the Philippine branch be sufficient to fulfill the eligibility requirements documentation as the Philippine branch is the official rep of the foreign company.? Yes, as long as the Philippine branch will be the one to participate in this bidding.
2 For a foreign majority owned company, will the BAC accept the references of the parent company of the foreign majority owned company?  For example, 60% of ABC Philippines is owned by ABC USA.  Can ABC Philippines use the SLCC of ABC USA without ABC USA becoming part of the JV? No, bidders are required to submit their own technical eligibility documents for purposes of complying with the eligibility requirements. They cannot rely on the technical credentials of their foreign company.
3 Would the submission of the primary JV partner’s NFCC be sufficient to fulfill the requirements of the JV? Yes, submission by any of the Joint Venture partners constitutes compliance. Provided, however, that the partner responsible to submit the NFCC shall likewise submit the Statement of all its ongoing contracts and Audited Financial Statements.
4 Foreign bidder being part of a JV (with a Filipino company) with at least 60% local ownership:

 

a. For a foreign majority owned company, will the BAC accept the references of the parent company of the foreign majority owned company?  For example, 60% of ABC Philippines is owned by ABC USA.  Can ABC Philippines use the SLCC of ABC USA without ABC USA becoming part of the JV?

 

b. The foreign bidder has a Philippine branch. Would the Class A docs of the Philippine branch be sufficient to fulfill the eligibility requirements documentation as the Philippine branch is the official representative office of the foreign company?

 

c. In relation to question 1.2, as the Philippine branch is the official representative of the foreign company, is it correct to assume that the Philippine branch can use the references (i.e. SLCC) of the foreign company.

 

a. No, bidders are required to submit their own technical eligibility documents for purposes of complying with the eligibility requirements. They cannot rely on the technical credentials of their foreign company.

 

b. Yes, as long as the Philippine branch will be the one joining this bidding.

 

c. No, bidders are required to submit their own technical eligibility documents for purposes of complying with the eligibility requirements. They cannot rely on the technical credentials of their foreign company.

5 In page 48, a statement “*In case of Joint Venture, both partners must present/submit above item.”  The use of the word “both” signifies 2 partners, which contradicts item (e) in page 10 “Persons/entities forming themselves into a Joint Venture (JV), i.e., a group of two (2) or more persons/entities that intend to be jointly and severally responsible or liable for a particular contract…”. Should the phrase in page 48 state instead: “*In case of Joint Venture, all partners must present/submit above item.”? Should you participate in this bid as a Joint Venture, it is required that all JV partners must submit the stated Post Qualification Documents as per 29.2 of Section III. Bid Data Sheet.
6 I am assuming the following as typo errors, for your confirmation please:

 

a. Clause 23.2 in page 24 of the ITB.

b. Also on page 24 of the ITB, the paragraph states: ”Each partner of a joint venture agreement shall likewise submit the requirements in ITB Clause 12.1(a)(i). Submission of documents required under ITB Clauses 12.1(a)(ii) to 12.1(a)(iii) by any of the joint venture partners constitutes compliance.”.  “ITB” should be BDS since there is no 12.1(a)(1) in ITB Clause 12.1.

 

c. On page 24 and 25 of the ITB, Clause 24.8 and 24.9 should be 13.7 and 13.8.

 

d. In page 29 of the ITB, ITB Clauses 29, 32 and 33 are stated. I assume that these refer to BDS instead as there are no ITB Clauses 29, 32 and 33.

 

e. In page 36 of the BDS, item a. states “Should the bidder opt to submit NFCC, computation must be equal to the ABC of the project. “I am assuming that this should have been stated as “Should the bidder opt to submit NFCC, computation must be equal to or more than the ABC of the project. “

 

a. There is a typographical error in the numbering of the Section II Instruction to Bidders (ITB). Please refer to the table below for the corrected numbering

of ITB.

 

b. Item no. 12 in the BDS should be 12.1. Please refer to the BDS for the requirements under Eligibility and Technical Documents.

 

c. Yes, this is a typographical error. Please refer to the table below for changes in provisions.

 

d. There is a typographical error in the numbering of the Section II Instruction to Bidders (ITB). Please refer to the table below for the corrected numbering of ITB.

 

e. Yes, the Net Financial Computing Capacity computation must at least be equal to the total ABC of the project. Please refer to the table below for changes in provisions.

7 In case of a Joint Venture:

If the foreign company intends to do a joint venture with a local company, it has been mentioned during the Pre-Bid Conference that the foreign company should have a reciprocal arrangement from their country of origin and must submit a document as proof hereof. If the country of origin is one of the members of a Philippines Free Trade Agreement such as with ASEAN Free Trade Area (AFTA), North American Free Trade Agreement (NAFTA), European Free Trade Association (EFTA), and European Union (EU) Free Trade Agreement, does that automatically warrant proof of reciprocity, without the need to submit such document?

Yes, as long as the Joint Venture (JV) complies with 23.4.1.1. (e) of the 2016 Revised IRR of RA9184 which states:

 

23.4.1.1. (e) Persons/entities forming themselves into a joint venture, i.e., a group of two (2) or more persons/entities that intend to be jointly and severally responsible or liable for a particular contract: Provided, however, That Filipino ownership or interest of the joint venture concerned shall be at least sixty percent (60%). For this purpose, Filipino ownership or interest shall be based on the contributions of each of the members of the joint venture as specified in their JVA.

 

If the JV concerned does not have at least sixty percent (60%) Filipino ownership or interest, the foreign company in that JV must submit a certification from relevant government office of their country stating that Filipinos are allowed to participate in their government procurement activities for the same item or product.

8 Please confirm that the 10% Warranty Retention under 10.1 of page 53 is typo error. Yes. Retention is 1% as per the 2016 Revised IRR of RA9184
9 Are the foreign entities required to submit PhilGEPS Platinum Registration (for the purpose of Post Qualification) and the Philippine Tax Clearance if they already provided the equivalent documents for the Class A Eligibility Documents under the JV or Consortium? Yes.
10 Can you please provide us the latest format for the committed Line of Credit if we will not going to use the NFCC format? We do not have the latest format of the committed Line of Credit. However, please note that the committed Line of Credit should be issued by a Local Universal or Local Commercial Bank.
11 BDS- For Joint Venture: 4. 2015 & 2016 Audited Financial Reports

 

May we request to change the coverage to the latest, 2017 & 2016?

Yes, this is a typographical error. The Audited Financial Statements that should be submitted are for years 2017 and 2016.
12 BDS- xvii. For foreign bidders claiming eligibility

 

Is this requirement not applicable for foreign bidders that will partner with a local entity through a Joint Venture?

Yes, as long as the Joint Venture (JV) complies with 23.4.1.1. (e) of the 2016 Revised IRR of RA9184 which states:

 

23.4.1.1. (e) Persons/entities forming themselves into a joint venture, i.e., a group of two (2) or more persons/entities that intend to be jointly and severally responsible or liable for a particular contract: Provided, however, That Filipino ownership or interest of the joint venture concerned shall be at least sixty percent (60%). For this purpose, Filipino ownership or interest shall be based on the contributions of each of the members of the joint venture as specified in their JVA.

 

If the JV concerned does not have at least sixty percent (60%) Filipino ownership or interest, the foreign company in that JV must submit a certification from relevant government office of their country stating that Filipinos are allowed to participate in their government procurement activities for the same item or product.

13 BDS- 29.2: Latest ITR and Business Tax Returns filed through EFPS

 

For foreign bidders, will the submission of their equivalent ITR and Business Tax Returns without EFPS sufficient enough for the requirement?

 Yes.
14 iv. Audited Financial Statements

 

Can we just submit the 2017 Audited Financial Statements with comparative reports for 2017 & 2016 only? Or do you really require 2017 and 2016 FS with comparative reports for 2017 & 2016 and 2016 & 2015?

Yes, submission of 2017 Audited Financial Statements with comparative 2017 and 2016 is sufficient.
15 vi. Completed Single Largest Contract

 

a. Due to the magnitude of the project, may we request to relax the requirement to submission of minimum of 3 Aggregate Contracts, one of which should be at least 25% of the budget?

 

b. May we also request to allow submission of a Notarized Declaration from the bidder, stating that they have handled and completed similar projects within the timeline specified in the bidding documents? Request is being made in lieu of the submission of Annex I-A, Statement of SLCC and Annex VII, Certificate of Performance Evaluation, which requires the bidders to submit/disclose sensitive information of our clients that may infringe the rules of the contract with regards to the Security/ National Security for that matter.
c. May we know the exchange rate to be used if the contract to be submitted is in a foreign currency (e.g. US Dollar)? Is it the exchange rate on the date of the submitted contract or the exchange rate on the date of the submitted contract or the exchange rate a day before the bid submission?

 

a. Bidder can submit Statement of at least two (2) contracts of similar contracts of similar nature, the aggregate of which should be equivalent to at least fifty percent (50%) of the ABC, the largest of these contracts must by equivalent to at least twenty five percent (25%) of the ABC. Please refer to the table below for changes in provisions.

 

b. Request is denied. For the Statement of Single Largest Contract (SLCC), any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

(i) Copy of End user’s acceptance;

(ii) Copy of official receipt/s; or

(iii) Copy of sales invoice

 

c. The exchange rate to be used, in case the SLCC or similar contracts are in foreign currencies, is the exchange rate prevalent at the time said contract/s was/were entered into.

16 viii. Net Financial Contracting Capacity of Credit Line Certificate

 

For Joint Venture, may we clarify if submission of one of the JV partners will suffice?

Yes, submission by any of the Joint Venture partners constitutes compliance. Provided, however, that the partner responsible to submit the NFCC shall likewise submit the Statement of all its ongoing contracts and Audited Financial Statements.
17 12 Penalty Clause

May we request that the Penalty Clause be only applied/charged after non-compliance on the completion of the whole project based on the total number of months stated in the Schedule of Requirements, say for now, it is after 10 months, and not based on the per milestone completion?

Request is denied. Penalty shall apply on the non-compliance of the project timeline as stated in the Technical Specifications and Schedule of Requirements.
18 For the NFCC, there are clients that we have NDAs with and we cannot disclose the name of the company nor the amount.

 

To comply with the full disclosure requirement, we are planning to consolidate all the amounts of clients under NDAs and disclose it under 1-line item (in Bidding Form Annex 1). Under this process:

Bidder provides the amount of ALL outstanding contracts (including under NDAs)

Bidder provide an accurate NFCC without violating the existing NDAs

 

The line item would be similar to the table below (row in yellow):

 

Would this be accepted by the BAC?

According to the GPPB Non-Policy Opinion 2014-10-09, it states that “It is worthy to point out that the amended provision states statement of “all” on-going government and private contracts, including awarded but not yet started, if any, whether similar or not similar in nature and complexity to the contract to be bid within the relevant period as provided in the Bidding Documents. As such, even contracts that include non-disclosure agreements or confidentiality clauses are required to be disclosed. It is likewise good to clarify that the requirement refers to a statement to be made by the bidder relative to all its ongoing and private contracts, and not the actual submission of the physical contracts.”

Thus, the bidder should submit the statement of all ongoing contract with all the necessary information as indicated in Annex I.

19 For unincorporated joint ventures, the billing party shall be the prime partner. Is this assumption correct? Yes, unless the Joint Venture will submit a different authorized billing party.
20 If the authenticated documents from the Philippine Embassy does not reach us on time, can the scanned documents and the receipts issued by the Philippine Embassy (to prove that the documents have indeed been submitted for authentication) be submitted instead as part of the eligibility requirements? No, the authenticated documents must be submitted.
21 Bid Data Sheet, ITB Clause 5.4

 

Though this has been discussed during the pre-bid conference, we will await for the issuance of the Supplemental Bid Bulletin on the revision for the following:

• from single largest contract to at least two (2) contracts
• definition of similar in nature

Bidder can submit Statement of at least two (2) contracts of similar contracts of similar nature, the aggregate of which should be equivalent to at least fifty percent (50%) of the ABC, the largest of these contracts must by equivalent to at least twenty five percent (25%) of the ABC.

 

Similar in nature shall mean “Security Operations Center”.

 

Please refer to the table below for changes in provisions.

22 Bid Data Sheet, ITB Clause 12. vi.

 

In lieu of the End-user’s acceptance, can we submit a Certificate of Completion – translated into English and duly authenticated by the Philippine Embassy in the country and Project contract that includes all the details of the project implemented and delivered, translated into English and duly authenticated by the Philippine Embassy in the country

No, only any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

(i) Copy of End user’s acceptance;

(ii) Copy of official receipt/s; or

(iii) Copy of sales invoice

 

23 Bid Data Sheet, ITB Clause 12, Class “B” documents (for Joint Venture)

What are the documents to be submitted by a foreign joint venture partner

For foreign company, the eligibility requirements may be substituted by the appropriate equivalent documents, if any, issued by the country of the foreign bidder concerned.

 

The eligibility requirements to be submitted must be in English. If eligibility requirements are in foreign language other than English, it must be accompanied by a translation of the documents in English. The documents shall be translated by the relevant foreign government agency, the foreign government agency authorized to translate documents, or registered translator in the foreign bidder’s country; and shall be authenticated by the appropriate Philippine foreign service establishment/post or the equivalent office having jurisdiction over the foreign bidder’s affairs in the Philippines.

 

The equivalent eligibility documents shall be accompanied by a Sworn Statement attached herewith as Annex A.

24 For services that are both available as cloud based and hardware-based form, it is in our experience and the recent trends in the IT sector that a lot of the services can be provided more cheaply and efficiently from the cloud as compared to investing massively in on-site physical hardware, where the latter would require periodic maintenance and high availability solutions for maximum uptime.  Cloud solution provides maximum DR and availability, in addition to the offloading of the 24/7 management and maintenance from the on-site support to the cloud team. The CMS is a combination of cloud and on-premise technology. A hybrid technology is expected in the project provided that the analysis and threat intelligence coming from the priority agencies is on premise and the feed sources coming from the vendor is cloud-based.
25 15000 initial endpoint allocation means that there is a possibility that overpayment will happen due to underutilization of the licenses (one endpoint/one license). The 15000 is an end user requirement and it will be utilized and distributed.

 

26 Cloud solutions often offer virtual appliances that leverages existing and new virtualized landscape for an overall lower TCO. The CMS will remain as stated in the Technical Specifications.
27 Savings from using cloud solutions will then go to investments on SOC core components. The CMS will remain as stated in the Technical Specifications.
28 Would a project on machine learning qualify as a similar project as machine learning is a requirement of the TOR? Please refer to the stated definition of “similar in nature” stated in the Invitation to Bid.
29 What would be the acceptance criteria of the priority agencies (i.e. what documents will the supplier show to collect the 10%?).  The basis of this question is for example, one of the priority agencies does not want to accept the installation and configuration of hardware/software but the other nine agencies have already accepted, the 10% payment should not be withheld. The End-User already have a MOA as a pre requisite requirement and scoping with each agency to ensure that said agencies are ready and willing to accept the installation and configuration of hardware/software.
30 In relation to question 4, will DICT accept instead the installation/configuration of the hardware/software on behalf of agencies who may not be cooperating as expected so that payment to the supplier can proceed? Please refer to answer above.
31 In relation to question 4, DICT shall take care of all the MOA/MOU with the priority agencies for the supplier to install/configure the hardware/software.  Is this assumption accurate? Yes, DICT will be responsible in the MOA/MOU with the priority agencies to ensure that the scope and SLA’s are all correct and fair. MOU/MOA development should be in coordination with the winning bidder
32 In the payment terms (page 129 of the document), the last item states:

 

Milestone: Upon completion of Knowledge Transfers and submission of As – Built Plans, Operations & Maintenance Manuals, Warranty completion of Training Sessions

 

Progress: 20%

 

a. The phrase “Warranty completion of Training Sessions” should have been written as “Warranty, completion of Training Sessions”.  Is this a correct assumption?

 

b. In reference to item 1, completion of Warranty should not be included in this milestone because the warranty ends after 3 years.  I do not think it is the intention of DICT to pay the 20% after 3 years.   Is this a correct assumption?

 

a. Yes, it is a typographical error.

 

b. Yes, please refer to the table below for changes in provisions.

33 further define the “Security Operations Center (SOC)” in the Single Largest Completed Contract The term similar project in the SLCC (As indicated in the Bidding Documents) shall not be limited to the Security Operations Center that was established by the vendor in previous clients. Similar projects shall mean similar solutions that will be offered to the end user that was deployed in previous clients. SOC shall mean same project that has threat Intelligence Platform, Case Management System, Analysis and Incident Response.
34 a. On Business Registration Certificate, are we pertaining to the Mayor’s Certificate or Business Permit?

 

b. The SEC Certificate does not include experience in the field of intelligence, threat detection and cyber security. We are categorized as ICT.

a. No. It should be a registration certificate from SEC.

 

b. The statement “field of intelligence, threat detection and cyber security” will be changed to field of ICT.

35 a. Define Civil Works in the Technical Specifications

 

b. Is it possible to extend the timeline for the Hardware/Software On-site Delivery to 1.5 months instead of 1 month?

a. Civil Works shall include the installations of all requirements of the Physical Security, Mantrap access, and physical data storage and on-premise rack servers, wiring and power supplies for solutions. It also includes securing the windows of the SOC and other needed details to ensure that the delivered solutions and systems will function smoothly. The details of the design should also be accomplished/submitted

 

b. Yes, the total for the schedule of the requirements will be 315 calendar days. Please refer to the table below for change in provisions.

36 What would be the case for foreign bidders? Refer to clause 5 of Invitation to Bid. There is a reciprocal right/rule to follow. If the country of origin of the bidder allows Filipinos to bid in their projects, then they can do so for this project. However, you must provide supporting documents for this reciprocity rule to apply.
37 a. For Item 2.1.3.5, is it possible to work around with this requirement since we have non-disclosure agreement with our clients?

 

b. For item 2.1.3.5, is it limited to local clients?

a. Provide an Affidavit that you provided/performed cyber forensic investigations to at least 2 clients.

 

b. No.

38 Clarification on the measurement of SOC Floor plan See Item No. 33.
39 For the portable SOC, how portable should it be? It should be at least 2 laptops for different OS like Linux and Windows. The requirement is that one person should be able to carry the portable SOC. Thus, 1 or 2 laptops would be fine. However, the portable SOC must have the following features and services:

1. SIEM & Free-Form Log Search Engine Services

2. Intrusion Detection System (Host & Network)

3. Threat Intelligence Update  Services

4. Automated Network Malware Analysis Services

5. Rapid Incident Response Agent Services

6. Honeypot-based Intrusion Detection System Services

7. Network Forensic Data Capture Services

8. Compliance Checking & Management Services

40 a. For the firewall, we think the 200 Gbps is too big for 10 agencies. is the idea to protect the agencies?

 

b. Can we aggregate the 200 Gbps for crawlers and core?

a. Protection of internal SOC only. 200 Gbps is not correct. We only require 20Gbps.

 

b. No. It’s for the core only. The solution will give the agency a small dashboard to access endpoints.

41 a. For the Deployment, are the 10 priority agencies connected?

 

b. If via internet, are their infrastructure included in the project?

a. These agencies will be connected thru sensors.

 

b. No. Each agency should have their own Network Operations Center as requirement. Otherwise, they will not be prioritized.

42 For the Disaster Recovery System, should it be provided by the solutions provider or DICT? It should be the solutions provider and must be a cold-site with backup.
43 a. How real-time should be the communication, 1 hour for storage or daily updated?

 

b. Where should the cold site be placed?

a. It should not be later than1 hour.

 

b. Within the Philippines

44 For item 7.1.1.9.3, what if the VAPT operates only on a specific OS? It must support all listed OS.
45 For the DDOS Protection System, do you require a separate analyst? No, the analyst must be one of the four personnel provided by the vendor.  However, it should be noted that the DICT SOC should be able to operate and protect itself, as part of the solutions, without the involvement of the vendor’s SOC. Assistance will only be requested when necessary.
46 Can you provide the identification of logs to be collected? Logs to be collected are based on the privacy guidelines logs on cyber threats.
47 For Software licensing, is it perpetual or 3 years with the additional agencies in the next years? Software licenses which are subscription-based must be for 3 years, including those for the 10 agencies. Thereafter, software licensing shall be under a new bidding process.
48 Clarification for VAPT Tool since hardware specifications are included in TOR. Please refer to the table below for changes in provisions.
49 Clarifications to the warranty and when will it start? Upon issuance of the Certificate of Completion and Final Acceptance.
50 On the requirement to submit the “Business Registration Certificate (BRC) with a minimum of five (5) years of experience in the field of intelligence, threat detection and cyber security;”, the Certificate of Registration issued by the Bureau of Internal Revenue uses the PSIC Code to classify the line of business/industry of the company.  The company has filed its registration in 1997 and it was only in the 2009 PSIC code that information and communications was added.

 

Please refer to page 4 of the attached document (NSCB_PSIC 2009.PDF). The document was downloaded from the BIR website (https://www.bir.gov.ph/index.php/industrial-occupational-code.html).

 

The Articles of Incorporation/License to Transact Business in the Philippines mentions the terms:

 

Operation, installation and maintenance of systems solutions and products which use computing, electronic, communications and other information technologies

Offer/render consultancy services …in the areas of business process reengineering, information systems design, … software development…knowledge technologies.

 

Would these information suffice to fulfill the requirement of the BRC in the field of intelligence, threat detection and cyber security?

Yes, this will suffice the requirement if the BRC in the field of ICT.
51 SOC Layout

a. Is the given layout to scale? What is the factor?

 

b. Is the proposed location already subjected to structural analysis?

 

c. Is the required equipment load considered?

 

d. Can we have a copy of the structural assessment, if any?

 

e. If there is no structural analysis done yet, will the cost be included in
the project or a separate engagement outside the project budget?

 

f. Is there sufficient power to supply the required equipment? If there are
electrical works attributed to the supply of power, is it a separate engagement outside the project budget

 

g. When is the schedule of site survey?

SOC Layout

a. Yes, Scale = 1:75m

 

b. No

 

c. Yes but the load that will be placed in the Security Operations Center are considered lightweight which only consist of servers and minimal number of rack cabinets. As per our study, the Building can accommodate this load as this building was created for the establishment of Security Operations Center.

 

d. Refer to letter b.

 

e. Refer to letter b.

 

f.  Power supply will be available however electrical panel board should be constructed by the winning vendor.

 

g. We will no longer allow site visit to the SOC because the floorplan is already attached in the Technical Specifications.

52 Scope of Work SOC Setup

a. Can we have the perimeter blueprints?

 

b. How many workstations are needed?

 

c. How many CCTV cameras, Keypad and Finger-Vein Biometric Authentication are needed? Are there any preferred specifications?

 

d. How many rack cabinets shall be needed? Any preferred brand or specifications?

 

e. How many Large Field (LED Monitor) Displays needed in the Video Wall? Any preferred brand or specs?

 

f. What are the dimensions for the Switchable Privacy Glass Filters?

 

g. What is the preferred fire suppression system? Do we include VESDA?

 

a.  We can only provide the floorplan layout which is already in the Technical Specifications.

 

b. Please refer to the Technical Specifications. (page 124) (11 Workstations for the SOC Manager, supervisor, and Analysts, 1 workstation for the Info desk, and 2 Laptop for VAPT Services)

 

c. For the CCTV Cameras, please refer to the Technical Specifications. Specifications for the keypad and Finger-Vein Biometric Authentication are already in the TOR. We need 4 Finger-Vein Biometric Authentication and 4 Keypad Authentication. A facial recognition scheme shall also be included in the Analysts, supervisor and SOC Manager Workstation. Therefore, we need 10 Facial Recognition System in the SOC. (Please refer to the Technical Specifications)

 

d. The number of rack cabinets will depend on the proposal of each vendor. It will be accepted as long as it will suffice to the requirements of the TOR and will provide turnkey solution to the enduser.

 

e. Please refer to the Technical Specifications.

 

f. Please refer to the floorplan

 

g. Kindly include VESDA. We require vendor to provide fire extinguishers that are best to protect computer rooms and electronics.

53 Disaster Recovery Management System

 

a. For the off-site disaster recovery, is there a preferred location?

 

b. Is there a minimum distance requirement from the production site?

 

c. Will the disaster recovery site have the same exact capabilities (e.g. volume of transactions, etc.), functionalities (e.g. threat intelligence, web intelligence, etc.) and specifications (e.g. internet speed and bandwidth, etc.)

 

d. For the back-up, do we consider on-site back-up as well as off-site replication? Will replication be done on the virtualization level or will it include SAN storage replication as well?

 

e. For off-site replication, do we intend to replicate everything in the production site or select systems only (i.e. SAN storage only)?

 

f. For the SAN storage, does the back-up portion require the same IOPS as the production data portion of the storage? Does the SAN storage needs to be tiered in terms of IOPS or is it required to have the same (or different) disk speed between production and DR?

 

g. Is there any required specific RTO/RPO?

 

h. For disaster recovery of power management systems, does this pertain to both UPS, battery and generator sets? Are there power ratings already identified? What configuration (N + 1, 2N or 2N + 1)?

 

 

a. The Disaster Recovery Management System will be in Hybrid Form. Hence, some of the backup appliances / backup components / standby appliances / standby components are on-premise with different network from the Core and some will be placed in cloud.

 

b. The offsite DR will be on the cloud. Cold site only. Same capability without forensics.

 

c. Yes for system solutions and its data.

 

d. As long as a secondary appliance / secondary service / secondary component outside the production site can take over the functionality should the production site become unavailable.

 

e. As long as replication / duplication / mirroring can take over functionality should the production site become unavailable.

 

f. The project needs backup of both system and data to run the main systems (Redundant). Please also understand there is a separate backup of the data only.

 

g. SOC needs 24 hrs or less for this. We will consider the faster solutions.

 

h. This pertains to the UPS with 10 mins runtime, 2N + 1

54 General questions DDoS:

 

a. Could you please advise the DDoS expected deployment scenario (e.g., distributed or centralized in DC? how many

locations? What is the bandwidth of each location? How many internet links of each location?).

 

b. How many protected networks (i.e., 24 public prefix do you need to
protect)?

 

c. Do you have your own public IP address and ASN already?

 

d. If the deployment is distributed, can you confirm that you are going to deploy min. /24 public IP prefix for each location?

 

a. DDOS Protection will be deployed only in the Core SOC. The location of the SOC can be found in the TOR. 1 location, bandwidth: 40Gbps.

 

b. The network protection tools will be deployed only in the Core SOC. The solution must protect all equipment, traffic, and data inside the SOC. Also, please note that only endpoint sensors/agents and log collectors are the equipment that will be deployed in the priority agencies network

 

c. None yet.

 

d. Not applicable, DDOS protection will be deployed only in the SOC.

55 Requirement Questions for DDoS:

 

a. For 7.1.1.2.2.1.9, could you please clarify on encrypted traffic? Is that referring to SSL IPv6?

 

b. For 7.1.1.2.2.1.11.7, would you please explain further on this requirement “Idle TCP sessions and blacklist consecutive fails”?

 

c. For 7.1.1.2.2.3.12, could you please elaborate on “per application redirection” using DNS?

 

d. For 7.1.1.2.2.3.10, is this requirement not to change BGP related configuration to divert the traffic to the cloud DDoS scrubbing centre? Please help to elaborate.

 

e. For 7.1.1.2.2.3.13, does this mean that you don’t want to use port 80/443 to do API with our Cloud DDoS service? If yes, could you please share your reason?

 

f. For 7.1.1.2.2.3.14, Could you please explain for “ability maintain the source IP address in the case where SSL cannot be loaded into the platform”?

 

g. For 7.1.1.2.2.4.2, can you share with us for the requirement of integrating with firewall?

 

 

a. Yes. Please refer to the requirements stated in the Technical Specifications.

 

b. TCP sessions not doing anything shall be cleared.

 

c. Any suspected DDOS attack shall be redirected for inspection.

 

d. Solution shall provide information as when the DDOS diverted to the cloud.

 

e. This depend on the configuration of port set by the solutions provided by the vendor other than the common port 80 and 443.

 

f. In the event SSL CERT cannot be loaded connection should not keep on resetting. It should still work, and source IP is still used.

 

g. Two separate firewall shall be able to protect from DDOS and any excess to its capability should be able to be thrown to the cloud solution.

56 For the requirement of Network Advance Threat Protection (Page 95 – Number 7.1.1.2.3) and Network Monitoring (Page 102 – Number 7.1.1.3);

 

Does the end-user require one product only or can we offer combination of two products that will comply on the required solution?

Yes, we will accept it as long as the vendor is compliant to the said requirements.
57  On Page 95, number 7.1.1.2.3.1; It says that “the solution shall include network threat Protection Sensor that supports Inline blocking mode OR span / tap mode.”

 

While on the same page, number 7.1.1.2.3.5 it says that “Detection Appliance shall support inline monitoring AND blocking.

 

The two statement is contradictory to each other. May I know which statement are we going to follow and can the end-user consider the specification “Blocking Mode OR Span / Tap Mode” instead of requiring it both?

7.1.1.2.3.1: It says that “the solution shall include network threat Protection Sensor that supports Inline blocking mode.
58 On page 95, number 7.1.1.2.3.4; It says, “Detection Appliance OS Software shall automatically be updated from the Web Management GUI”.

 

Can the end-user also accept Manual Update of OS Software of Detection Appliance?

It should be updated automatically with minimal manual updates.
59 On page 102, number 7.1.1.3.1.5; it says that “The solution shall be able to aggregate multiple 1GE links to one 1GE interface to increase the throughput on the links in a passive, non-intrusive manner.

 

Can the end-user be more lenient and consider solutions that are software-based that may not have the functionality of link aggregation of multiple links? Will this feature be considered critical to the overall performance of the Network Monitoring Tool?

The Technical Specifications will remain the sajme.
60 On page 104, number 7.1.1.3.4.8; it says that “The solution shall include C&C evasion technique over DNS manipulation including Domain Generation Algorithm (DGA).

 

Can the end-user be more lenient and consider also solutions that are capable of providing the same result without using the Domain Generation Algorithm (DGA)? There may be solutions that doesn’t use DGA engine in the Dashboard and uses different algorithm and yet, still are able to deliver the required result which is to detect whether the domain is common domain or used by malware.

The Technical Specifications will remain the same.
61 For the end point security requirement on page 98, what is the average bandwidth connection of DICT to agencies and vice versa At least 50Mbps to 100Mbps (Work Assumption)
62 Does the consultant need to report to DICT Office every day, 24/7? How long will be his contract, 1, 2 or 3 years? The consultant shall report to the DICT when requested by DICT for the duration of three years.
63 Are all infrastructure devices need to be redundant (ex. router, firewall, switch, IPS, ADC, etc.) within the Active site? The core systems of the CMS should be redundant specially the items that are essential  in the operations of the SOC. The system design is an important piece of our evaluation and consideration.
64 If above answer is yes, what high availability condition is required? Active-active? Active-standby? Refer to the answer above.
65 What is the expected throughput of even logs transmission from each of the agencies? 3-10Mbps (Work Assumption)
66 If the above question cannot be answered directly and estimate can be generated by giving input to the inquires below:

 

Device – Qty (all 50 agencies)

1. Network switches – ________________

2. Network routers – _________________

3. Endpoints – _____________

4. Windows Domain server – ___________

5. Windows application server – _________

6. Linux Server – __________

7. Exchange Server – ___________

8. Web server – _______________

9. Windows DNS Server – _____________

10. Database Server – ___________

11. Firewall (internal) – __________

12. Firewall (DMZ/internet facing) – _____

13. IPS/IDS – _______________

14. AntiSpam Agent – _________________

15. AntiVirus agent – __________

16. Others (indicate) – _________

Please note that this project will accommodate only the first 10 agencies and there will be different bidding or procurement process for the additional 40 agencies for the 2nd and 3rd year.

Also, the information for the priority agencies’ network will only be given to the winning vendor. The end-user can only answer queries for the Cybersecurity Management Systems Project (CMSP) and the core SOC itself.

67 Endpoint count is essential when sizing endpoint security. is the 150000 endpoints mentioned in 7.1.1.2.4.2 already the size of the final state (all 50 agencies)? Yes.
68 If answer above is NO, what is the estimated number of protected endpoints that need to be added annually, starting this year? Please refer to answer above
69 There are protection components that needs to be deployed on-premise within agencies to be protected. Please provide information below which can characterize environment within the agencies

 

Internal network throughput (mbps) that will be monitored – qty?

 

Required physical interface types that will be used to integrate these devices to the network (ex. copper, 1G short range fiber, etc.) – qty?

Depending on the solution of the vendor. Installing agents to end users is one way. Assumption connection is 50 to 100mbs on the agency level. We required them to have Network Operation Center in place. If none we pick another agency.
70 Does IPS and Network ATP need to be deployed to the first 10 agencies as well? No, the IPS and Network ATP will be deployed only in the Core SOC
71 7.1.1.2.4.5. The endpoint security solution’s monitoring agents shall be updated automatically with most recent attacks with remediation to prevent future incidents.

 

Give examples of how this should done. Our detection and response is constantly updated in near real time with more than 20++ threat intelligence feeds. What does it mean by updated with remediation?

The endpoint security solution shall include remediation reports to intelligence feeds updated in the system

 

Only the sensor with capabilities of detecting C&C and lateral movements shall be deployed in the priority agencies. This sensor shall also do Endpoint and Network Forensics with log collection to priority agencies’’ network.

72 7.1.1.2.4.6. The endpoint security solution shall be able to learn about zero-day threats from other security devices doing virtual execution.

 

Our detection and response is constantly updated in near real time with more than 20+++ threat intelligence feeds. Does it mean we should be able to import IOC from Sandbox solutions?

The Technical Specifications will remain the same.
73 7.1.1.2.4.8. The monitoring agents shall be capable of deploying in different Operating System (OS) such as but not limited to Windows, MAC, and Linux.

Please state the nature of requirements in supporting various OSes other than Windows. Although most solutions limited flavors of LINUX. Cb Defense does not support LINUX at the moment, probably in Q3 we will have support for Redhat/CentOS LINUX

Monitoring agents shall support three major OS Windows, Linux and MAC OS.
74 7.1.1.2.4.9. The endpoint security solution shall be able to streamline current investigative process on network and host-based alerts.

 

Most end-users look at this at the SIEM level as it collects data from every device, network and endpoint. can we say that the solution can contribute to streamlining by sending timely alerts and event notifications to the SIEM?

The sensor that will placed in the priority agencies shall be capable of doing initial analysis to the threats found in the priority agencies’. This shall be capable of doing initial filtering of false positives and provide initial analysis to threats and incidents before the escalation to the core SOC.
75 7.1.1.2.4.16. The endpoint security solution shall display a snapshot of the system health information and allow health checks to be initiated from the native interface.

 

Does “health check” mean “scanning”?

Yes.
76 7.1.1.2.2.1.8. The solution shall not have costs associated with reporting or administrative changes.

 

Is this question for on-premise or for Cloud solution? Cloud solution has a fix count of admin changes allowed per month. If more changes required, additional fee will applied.

It is Hybrid. We don’t have plan of constantly changing the admin. We need secured master account.
77 7.1.1.2.2.1.9. The solution shall stop DDoS attacks hidden in encrypted traffic whether IPv4 or IPv6.

 

TLS attack can be prevented without decryption would you still require decryption?

If you can prevent TLS attack without decryption then there’s no need for decrypting traffic whether in IPv4 or IPv6.
78 7.1.1.2.2.2.2. The solution shall support both DNS redirect (per IP) and Border Gateway Protocol (BGP) redirect (per Class C). Both options must be available within the same network, same web portal and managed by same support team.

 

[Note] For Cloud solution both diversion methods are managed by the same service team (Cloud SOC)
Exact solution is expected.
79 7.1.1.2.2.2.4. The solution shall be fully owned, operated and managed by the successful vendor. Support shall be provided directly by the vendor for DDoS events.

 

Are you referring for the Cloud Solution only?

Vendor shall be able to assist the end user not only by installed anti DDoS hardware but cloud solution as well. This means managing the defense against the attack.
80 7.1.1.2.2.3.2. The solution shall provide at least 1.5Tpbs of dedicated attack capacity.

Cloud solution is usually a shared infrastructure. What do you mean by Dedicated Attack Capacity

There should be a scrubbing center that can be composed of multiple operating centers focused on volumetric attack that  can accommodate up to total of 1.5Gbps.
81 7.1.1.2.2.3.3. The solution shall have dedicated attack transit.

 

What do you mean by dedicated attack transit. Please explain further.

Solution shall protect any data in transit to the cloud from any attacks.
82 7.1.1.2.2.3.8. The solution shall provide 500Mbps or clean traffic via GRE, with ability to burst up to 5Gbps.

 

You mean the clean bandwidth required is 5Gbps?

Access to the cloud should be fast 100MBPS to 500MBPS clean traffic
83 7.1.1.2.2.3.13. The solution shall allow traffic such as API’s and on ports other than 80/443 to be proxied.

What does “allow traffic such as API’s” means. Please elaborate more.

This depend on the configuration of port set by the solutions provided by the vendor other than the common port 80 and 443.
84 7.1.1.2.2.3.14. The solution shall provide the ability maintain the source IP address in the case where SSL cannot be loaded into the platform. Explain how this is achieved. It is understood these limits mitigations to application layer.

 

Do you mean there is a limitation in terms of mitigation in case SSL cert is not loaded?

In the event SSL CERT cannot be loaded connection should not keep on resetting. It should still work, and source IP is still used.
85 7.1.1.2.2.4.1. The solution shall support monitoring of SOC’s edge routers. The alerts should be triaged by vendor SOC Analysts to prevent excessive alerting.

 

Please elaborate more and specify why is this required?

This information should be available to SOC internal assigned personnel.
86 7.1.1.2.2.4.2. The solution shall be able to integrate on premises network firewall.
7.1.1.2.2.4.3. The solution shall be able to integrate on premises web application firewall.

 

Do you mean the DDoS protection solution will compliment Network Firewall and WAF? Please elaborate

Yes. These two separate firewalls shall be able to DDOS and any excess to its capability should be able to be thrown to the cloud solution.
87 7.1.1.2.2.4.4. The solution shall signal bad actor IP data to the platform for blocking in real time.

 

Do you mean on premise solution can signal bad actor IP to the cloud solution?

Yes. As long as it can block known bad IP in real time because of cloud solution and/ or from global bad IP reputation.
88 7.1.1.2.2.4.5. The solution shall provide integration with SOC’s SIEM.

 

Does it mean that the on-premise solution can send syslogs to SIEM?

Yes.
89 7.1.1.2.2.5.2. The solution shall provide the ability to customize dashboards via the web portal.

 

Most of the solution has a predefined dashboard. Please provide details of the customization needed

The dashboard shall be able to be customized by changing the company name to DICT, the colors and fonts shall also be customized depending on the agencies’ preferences.
90 7.1.1.2.2.5.5. The solution shall provide multi-tenant access via web portal in the event businesses within the group need a sub account.

 

Most of the solution does not provide multi tenancy. Are you referring to simultaneous access to web portal?

Simultaneous access and ability to create accounts under the group.
91 7.1.1.2.2.5.6. The solution shall provide the option of two factor authentication.

 

Does it mean that admin logging in to the solution’s management console should be enforced with a second factor authentication (after the basic username-password credentials)?

Yes.
92 7.1.1.2.1.1.2. The solution shall support authentication for both client and session.

 

Please elaborate. Does this mean policy can be applied based on identity?

In the event of a primary device failure, the proposed device should be able to detect and trigger a failover.
93 3.3. The Vendor shall perform Vulnerability Assessment and Penetration Testing (VA/PT) for the SOC network.

 

Does this mean that Vendor will provide not only the VA/PT system, but also services? If YES, for how many years will be the initial engagement?

The VAPT services that will be provided by the winning bidder shall be made upon the completion of installation and configurations of the project. It will be made to check if the installed devices and software in the CMS has no vulnerabilities and is not subjected to attack by the hackers.
94 7.1.1.2.5.8. The solution shall provide the full malware analysis report in less than ten (10) minutes from the download.

 

[Requesting to relax criteria] the best way to test malware breach detection is to stress a solution’s HTTP detection engine to determine how the it copes with detecting and blocking exploits under network loads of varying average packet size and varying connections per second.
Exact solution or better.
95 7.1.1.3.4.4. The solution shall leverage big data techniques in the detection process.
7.1.1.3.3.8. The solution shall use cache results and threat intelligence to prevent redundant scans of identical files.

 

Please elaborate. Does it mean that the solution can utilize stored data/logs in detecting malicious file or behavior?

Intelligence analysis technique can be used for detection process.
96 7.1.1.2.3.11. The solution shall be able to send event notifications using format standards such as JSON and XML.

7.1.1.2.3.12. The solution shall be able to send both summary notifications and detailed per-event notifications utilizing the protocols (SMTP, SNMP, or HTTP POST) and standard formats (e.g. JSON and XML).

 

[Requesting to relax criteria] Our solution supports SMTP and SNMP format notification and also uses open web API to allow integration to any existing security investment. An open API eliminate barriers from integrating with any future technologies.
Exact solution or better.
97 7.1.1.2.3.16. The solution shall be able to utilize NetBIOS and DNS for hostname resolution when generating alerts.

 

Our solution utilizes DNS for name resolution which can resolve names (within the DNS database) of all types of hosts whether they are a Windows machine or not. Kindly describe why NETBIOS will still be required.

Exact solution or better.
98 7.1.1.2.3.17. For the above list of applications supported in the VM’s the Vendor must have a method for pushing updates to the list of applications dynamical to the appliance without requiring a full OS or solution upgrade.

 

[Requesting to relax criteria] A VM environment within a sandbox is designed in a way to be isolated from external network such as the internet. Allowing to update software version in a live VM will defeat its purpose, unless an internal update server will be built for every software imaginable (impractical, operation wise). The standard and best practice method is to rebuild the VM using an image that is updated prior to loading inside the sandbox.
Exact solution or better.
99 7.1.1.2.3.42. The solution shall be able to utilize XFF headers to identify the client machine generating the alerts when deployed in front of a proxy server.

 

[Requesting to relax criteria] The solution will be positioned in a manner where traffic will be intercepted prior to being proxied.
Exact solution or better.
100 For the endpoint security requirement on page 98, what is the average bandwidth connection of DICT to agencies and vice versa. At least 50Mbps to 100Mbps
101 7.1.1.2.3.36. The solution should have the ability to remain fully effective when configured to share no data, events, nor any information with vendor or the vendor’s network.

 

Does it mean that the solution may be configured to not share information back to the manufacturer, such as analytics, diagnostics, and usage information?

Yes, the system shall be design in a way that the CORE SOC will not send back information to the vendor’s network. The vendor shall provide feeds and information to the SOC but the SOC itself shall not send feeds to the vendor’s network.
102 7.1.1.2.2.1.8. The solution shall not have costs associated with reporting or administrative changes.

 

Our on-premise solution offers an intuitive GUI which controls all the settings necessary to mitigate attacks.

 

Our cloud solution includes two standard changes per month at no charge. If more changes required, additional service fee will be applied.

 

What are considered as “Reporting Changes?” All reports in our Cloud solution are predefined, only the time period can be changed.

Exact solution or better.
103 7.1.1.2.2.1.9. The solution shall stop DDoS attacks hidden in encrypted traffic whether IPv4 or IPv6.

TLS attack can be prevented without looking into the payload. Would you still require the solution to decrypt packets and inspect against all HTTP countermeasures?

If you can prevent TLS attack without looking into the payload then there’s no need to decrypt packets and inspect against all HTTP countermeasures.
104 7.1.1.2.2.2.2. The solution shall support both DNS redirect (per IP) and Border Gateway Protocol (BGP) redirect (per Class C). Both options must be available within the same network, same web portal and managed by same support team.

[Note] For Cloud solution both diversion methods are managed by the same service team (Cloud SOC).
Noted.
105 7.1.1.2.2.4.6 The solution shall provide email/phone and SMS alerting options.

 

[Request to relax criteria] Email alerts are supported. For SMS, we don’t natively support this feature, but if the environment has email-to-SMS service (SMS gateway), then we can also send SMSs in that sense.
Exact solution or better.
106 7.1.1.2.2.5.4. The solution shall allow unlimited users access via web portal. Customer shall be able to create additional users as required.

 

[Request to relax criteria] For on-prem solution, we recommend 5 concurrent users. Though more than 5 users are still possible but it might start to impact the UI performance. Packet/Traffic performance will NOT be impacted.

 

For Cloud, all users are created/setup by the cloud managed services team. We usually allow customers to create up to 20 accounts which should be more than enough for enterprise engineering team.

Exact solution or better.
107 Since the ABC has a substantial amount, lowering the amount requirement will allow more bidders to participate, making the bidding to be more competitive, hence, advantageous to DICT. In reference to the Single Largest Completed Similar Contract, – Thank you for granting the request during the Pre Bid Conference to lower the amount for the Single Largest Completed Similar Contract to at least twenty five percent (25%) of the ABC.

 

– Furthermore, we would like to request the following options:

 

a. “Similar” contract be defined as Contracts related to systems integration/solutions (combination of hardware and software). This project is a Systems Integration exercise, and this requires experience in the deployment of diverse but complementary hardware and software solutions which will achieve DICT’s mission of a self-sufficient and fully functioning SOC.

 

b. “Similar” contract be defined as aggregated amount of systems integration/solutions (combination of hardware and software) and supply installation and delivery of any core component of a Security Operations Center (SOC), the aggregated value of which, should be half of the 25% of the ABC.

Submission shall be a Statement of Completed Single Largest Contract of Similar nature within the last five (5) years from the date of submission and receipt of bids equivalent to at least fifty percent (50%) of the ABC or Statement of At Least Two (2) Contracts of Similar Nature within the last five (5) years from the date of submission and receipt of bids, the  aggregate of which should be equivalent to at least fifty percent (50%) of the ABC, and the largest of these similar contracts must be equivalent to at least twenty five percent (25%) of the ABC. (Annex I-A)

 

“Similar” contract shall refer to Security Operations Center (SOC).

 

Any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

a.     Copy of End user’s acceptance;

b.     Copy of Official receipt/s; or

c.     Copy of Sales Invoice

108 From the checklist of requirements for bidders, Section 12.1 (b) (vii), it is stated that we are required to submit “Business Registration Certificate (BRC) with a minimum of five (5) years of experience in the field of intelligence, threat detection and cyber security.” The SEC provides for such under Primary Purpose, but is very general: computer hardware, peripherals, accessories, supplies, related products, computer software applications and data communications equipment. May we then request the provision to state that “Any legal document that states a minimum of five (5) years’ experience in the field of Information Technology”. Submission should be the Business Registration Certificate (BRC) with a minimum of five (5) years of experience in the field of ICT.
109 Under Section 12.1 (b) (ix) of the checklist of requirements for bidders, it is stated that we are required to submit “Valid Certification from at least two (2) of the bidder’s clients to prove that they have performed or capable of performing cyber forensic investigations specifically involving external attackers”. Thank you for approving the request during the Pre-Bid Conference for this to be modified.

May we confirm that such modification is submission of any of the following:

– Two (2) Valid Certification from the bidder’s manufacturer/principal to prove that they have
performed cyber forensic investigations specifically involving external attackers.

– In the absence of the certification from clients due to non-disclosure agreement, a valid Contract where the client name is not shown can be submitted. DICT shall however be allowed by the bidder to inspect said document during post qualification.

– In the absence of both, if the occurrence is a public information, then we just need to submit the public document such as newspaper or article.

Yes.
110 Under Section 7.1.1.9. Vulnerability Assessment and Penetration Testing (VA/PT) Tool.

 

a. Sections 7.1.1.9.1, 7.1.1.9.2, and 7.1.1.9.3 statement refers to a Hardware Appliance Solution. May we request that this requirement be relaxed to enable software-based solutions that will comply with requirements of 7.1.1.9.18?

 

b. Likewise, we would like to request that 7.1.1.9.8.4 be restated to “The solution shall be available in either software-based solution or hardware and appliance version”

 

c. For 7.1.1.9.16, may we know how many Servers are there from the 1,500 endpoints per agency?

a. Please refer to the table below for changes in provisions.

 

b. Please refer to the table below for changes in provisions.

 

c. Please note 5000 agents will be delivered per year for the next three years totaling to 15000.

111 Under 7.1.1.2.2. Distributed Denial of Service (DDoS) Protection:
a. For 7.1.1.2.2.1.9, could you please clarify on encrypted traffic? Is that referring to SSL IPv6?

 

b. For 7.1.1.2.2.1.11.7, would you please explain further on this requirement “Idle TCP sessions and blacklist consecutive fails”?

 

c. For 7.1.1.2.2.3.10, is this requirement not to change BGP related configuration to divert the traffic to the cloud DDoS scrubbing center? Please help to elaborate.

 

d. For 7.1.1.2.2.3.12, could you please elaborate on “per application redirection” using DNS?

 

e. For 7.1.1.2.2.3.13, does this mean that you don’t want to use port 80/443 to do API with our Cloud DDoS service? If yes, could you please share your reason?

 

f. For 7.1.1.2.2.3.14, Could you please explain the statement “ability maintain the source IP address in the case where SSL cannot be loaded into the platform”?

 

g. For 7.1.1.2.2.4.2, can you share with us the reason for integrating with firewall?

If you can prevent TLS attack without decryption then there’s no need for decrypting traffic whether in IPv4 or IPv6.
112 For other Physical Parameters of the Security Operations Center (SOC)

 

a. Should the windows of the SOC be blocked out with dry wall?

 

b. For Section 3.2.10. Civil Works as needed. May we request this to be elaborated so that we can assume costing?

 

c. How many data ports shall we provide for the structured cabling?

 

d. For the CCTV, how many days is the required retention period for the video?

 

e. May we have the specifications of your existing UPS and Power Infrastructure?

 

f. May we request Environmental Conditions Operability such as temperature, humidity and power consumption for the devices to be relaxed to comply with known industry standards commercially available locally.

 

a. Yes.

 

b. Civil works shall include the division, flooring, and painting of the whole Security Operations Center. This must include also the installation of all equipment, physical or software that will make the SOC as a turnkey solution project.

 

c. Depends on the solutions

 

d. 6 months

 

e. UPS will be provided by vendor. UPS shall at least provide 10 minutes power and can accommodated the servers to be delivered by the vendor.  Power panel board will be constructed by the vendor as part of the civil works

 

f. Industry standards should be applied. Server room temperature shall rely on and in accordance to the server’s specifications and solutions the vendor will deliver.

113 May we request for the Solution Architecture, Traffic flow, Block Diagram and Systems/ Components Integration Diagram/? Block diagram is available. Other diagram will rely on the solutions will be provided by the winning vendors as long as it will meet the technical specifications of this project.
114 Can we have the network block diagram of each 10 agencies that will used Cybersecurity Security Management The network diagram of each agency will be shown only to the winning bidder.
115 Can we request for the endpoint inventory (e.g. Desktop OS, memory and CPU) of each 10 agency for endpoint protection deployment strategy? The endpoint inventory of each agency will be shown only to the winning bidder.
116 Can we have the details of the WAN connections to DICT network of the 10 agencies This will be shown to the winning bidder.
117 Item 7.1.1.2.4 Endpoint Security

 

a. Is 100 endpoint security client deployment per priority agency acceptable? The remaining licenses will be deployed by DICT personnel?

Please refer to item no. 25.

To reiterate, 500 endpoints per priority agency can be deployed for year 1 and gradually increased for year 2 and 3.

118 What are the servers that will utilize the Application Delivery Control (ADC) solution? It depends on the proposed solution of the vendor.
119 For the SOC Layout, we may request the following;

 

a. Details of the floor to ceiling height

 

b. Civil structural plan of the propose site and location

c. Electrical plan of the setup and building

 

d. Is ocular site visit and survey possible?

 

e. Is modification or deviations on this design possible after additional details are provided and or after the ocular?

 

f. Is Generator Set system included on the requirement?

g. Are we going to consider the workstation load on the UPS requirement?

 

a. Please refer to the attached SOC Layout.

 

b. Please refer to the attached SOC Layout.

 

c. Please refer to the attached Electrial Layout

 

d. No, we will no longer allow site visit to the SOC because the floorplan is already attached in the Technical Specifications.

 

e. No, we will follow the provided SOC layout.

 

f. No.

 

g. No, only the UPS.

120 For the Disaster Recovery Management System item 7.1.1.7

 

a. Is co-location acceptable?

 

b. For item 7.1.1.7.5. Please elaborate the “retrieval of entire CMS data and operation” particularly operation. Does this mean that DR site can retrieve and operate as stand-alone during unavailability of the main site thus data and CMS solution components are to be backup and duplicated?

The Disaster Recovery Management System will be in Hybrid Form. Hence, the backup storage appliance is on-premise with different network from the Core and the off-site DR will be placed in cloud. This means that all data in the CMS shall be backup on-premise and cloud to retrieve all data in case of incident to the core.
121 For item 7.1.1.6 Portable CMS
a. Can this portable CMS is an extension of the main CMS only?
a. No, potable CMS shall do the functionalities of the Main CMS (SOC). The Portable CMS will serve as the mobile CMS that can collect logs, analysis, and network forensics to agencies/companies that are not part of the priority agencies. Please refer to the Technical Specifications for further information.
122 For the SOC layout in page 77

 

a. From the SOC layout which glass and how many panels should have switchable privacy function?

 

b. How many keypad and finger-vein biometric terminals are going to use in the SOC premise?

a. The switchable privacy glass shall be placed at the conference room and SOC Manager Room. (Please see the attached floorplan for more details)

b. We need 4 Finger-Vein Biometric Authentication and 4 Keypad Authentication. A facial recognition scheme shall also be included in the Analysts and SOC Manager Workstation. Therefore, we need 9 Facial Recognition System in the SOC. (Please refer to the Technical Specifications)

123 Network Infrastructure

 

a. Items 7.1.1.10.1.1, 7.1.1.10.1.41 and 7.1.1.10.1.42 discuss details of three different network switches model, thus this mean that the solution must include at least 3 switches? May we request the diagram and propose setup of this network infrastructure.

 

b. What are the connections of these switches

The objective is that SOC network are separated from another network on the same floor. Depending on the entire security solutions this shall be adjusted with the winning bidder and DICT.
124 What is the difference on the workstations discussed in item 8.1. Console Desk System and item 8.13 SOC Desktop Package?

 

a. If different stations, where are the locations of these at the SOC layout?

 

b. If these are the same stations, what configuration will be followed as console desk system requires 4 unit with dual 24” LCD monitor while SOC desktop package is 9 units with 34” swift Curved Monitor?

Please see table below for changes in provisions. (34″ swift curved monitor for the Analyst and SOC Manager’s workstation will be followed as the requirement for the console desk system)
125  In section 7.1.1.2.6 (ADC) how many applications will be load balanced and what is the projected total throughput of these applications? This will depend on the solution
126 In section 7.1.1.7. Disaster Recovery Management System, are we going to replicate the entire core components in the DR site which includes (NGFW, ADC, Anti-DDoS, SOC and etc.) The Disaster Recovery Management System will in Hybrid Form. On Premise solution for the physical equipment.
127 For the VAPT requirement in section 7.1.1.9, would the alerts for vulnerabilities, ports, certificates, software Installed, etc. need real time notification (continuous monitoring)? No, the Disaster Recovery Management System will be in Hybrid Form. Backup storage will be in Hybrid form and other replica of data in the SOC will be located in the cloud. Other requirements for the DR is on the Technical Specifications.
128 For VAPT requirement in section 7.1.1.9, is Policy Compliance needed? Also, is File Integrity Monitoring (FIM) needed? Yes, for both (Policy Compliance and File Integrity Monitoring)
129 For Network Forensics section 7.1.1.5.5, regarding nanosecond time stamping at recording is it possible to have a speed of only 10Gbps instead of 20Gbps? No, 20Gbps shall remain.
130  For item 2.1.3.4 – For the Business Registration Certificate, Is this Security Exchange Commission Registration Certificate? If yes, is Information and Communication Technology solution with specialization on network and information security and management, data center and virtualization solution and network infrastructure solution acceptable? Yes.
131 For 2.1.3.5 valid certification for at least 2 clients to prove that they performed cyber forensic investigations. As option to this requirement, is certification coming from manufacturer or distributor that the bidder is engage in cyber forensic investigation acceptable? Yes.
132 For item 2.1.3.6. The Vendor shall provide a portfolio or any documentary report to prove that they have deep intelligence in cyber threat actors especially those related to financial crimes and critical infrastructure. Is vendor or Manufacturer acceptable to provide documentary report that their product has been used for deep intelligence in cyber threat actors? Yes, the technical report shall be notarized legally to prove its intelligence in hunting cyber threat actors.
133 Statement of Completed Single Largest Contract of Similar Nature within the last five (5) years from the date of submission and receipt of bids equivalent to at least fifty percent (50%) of the ABC (Annex I-A).

 

Is 3 completed contract the aggregate amount of which should be equivalent to at least twenty 25% of the ABC. Similar means any Information and Communication Technology Solution Contract with at least one SOC Core component required by DICT on one of the 3 completed contract acceptable?

No, similar contracts should have an aggregate amount equivalent to fifty percent (50%) of the ABC, largest of which is twenty five percent (25%) of the ABC

 

All contracts shall provide similar project that will be offered in the CMSP. Similar project shall mean Security Operations Center and similar products like Threat Intelligence Platform, AI / Machine Learning.

134  Schedule of Requirement Page 70.
a. For Head Office Hardware/Software Onsite Delivery, can this be extended to 2 months same with installation of equipment in the priority agency?

 

b. For the Installation and configuration 0.5 months, can this be extended to 2 months? This is to give enough time for the installation of all SOC component, office fit outs and other civil works needed.

 

c. Is the data center reflected in the SOC Layout is the primary data center that will house all the equipment required in this project?

d. it is assumed that the allocated timeline in project schedule particularly “Hardware/software Onsite Delivery”, Installation and configuration”, Testing and submission of testing Result and Documentations”, CMS Network VAPT Operation Stress Test” and knowledge transfer” will commence after the build of the data center in the SOC site, please confirm?

a. See amended provision (We changed it to 1.5 Months)

 

b. ‘The requirement for this will remain the same.

 

c. Yes

 

d. Yes but the SOC site is already built and is now subjected to civil works and installation of all necessary equipment for the establishment of CMSP.”

 

c. Yes

 

d. Yes but the SOC site is already built and is now subjected to civil works and installation of all necessary equipment for the establishment of CMSP.

135 Item 9, page 126 Operation

 

a. How many onsite is needed and what are

the required skills?

 

b. Please confirm based from the bid document, we will assist in staffing the CMS team in 3 years up for the KT. 1 Engr per Tier (Tier 1-3) + 1 Supervisor. This means minimum of 4 (Tier 1 – 1, T2 – 1, T3-1 and 1 sup) Duties of onsite -8×5, 24×7?

a. The vendor shall provide 1 Analyst per tier (Tier1 to tier 3) with one supervisor that will work inside the SOC for three years. The Tier-1 and Tier 2 Analyst shall have at least 3years experience as SOC Analyst while the Tier 3 Analyst shall have at least 5years experience as SOC Analyst and shall have a background in Forensics. Other requirements are written in the TOR.

 

b. Number of staff is correct. Yes, it is 8hrs per day but assigned on different shift.

136 Can we request to extend the Hardware/Software On-site Delivery from 1 month to 2 months upon receipt of NTP?
Please be informed that the ordering, including the ETA (Manila) of these equipment’s will almost consume 30 to 60 days.
Please see table below for changes in provisions.
137 Portable CMS

 

a. What will be the required functionalities/capabilities

 

b. Will the portable CMS be required for the 10 agencies only?

 

c. Can we use a 1U/2U rack-mountable server for this?

a. The portable SOC should have the following feature services:

i. SIEM & Free-Form Log Search Engine services

ii. Intrusion Detection System (Host&Network) services

iii. Threat Intelligence Update services

iv. Automated Network Malware Analysis Services

v. Rapid incident response agent services

vi. Honeypot-based intrusion detection system services

vii. Network forensic data capture services

viii. Compliance Checking & Management services

 

b. No

 

c. We use 2U rack mount

138 Next Generation Firewall

 

Can you clarify the required firewall throughput which is 200Gbps in the TOR?

The required firewall throughput is 20Gbps.
139 Cyber Threat Intelligence Platform

 

It is not mentioned that the CTI platform requirement is residing to cloud or on-premise? Please clarify

Hybrid (Both cloud and on-premise)
140 Network Advance Threat Protection

 

a. What is the throughput capacity required based on the internet bandwidth per agency? Are we considering the 1Gbps Throughput per agency? Also please confirm if only 10 agencies that needs this solution.

 

b. How many sites requires the Network Advance Threat Protection and IPS/IDS solution? Are we safe to assume 1 site per agency?

 

c. Please provide the physical ports/connections needed for Network Advance Threat Protection and IPS/IDS.

a. 50-100 mbps per agency, but the core should have more capacity

 

b. 1 unit for the core

 

c. This will based on the interoperability of the solutions.

141 Intrusion Prevention and Detection System (IPS/IDS)

 

Will the solution be hardware or virtual appliance?

Hardware
142 Dark Web Investigation

Can you expound the description/function of the Avatars

An avatar is an online representation of investigators that can collect information through scanning an open source platforms and Dark Webs. Avatars act as a robot that do specific tasks based on the rules defined by the end-user.
143 Web Intelligence

 

a. Are you expecting multiple solutions for this requirement?

 

b. Are we supposed to provide a dedicated SMS Gateway?

 

c. What’s the preferred deployment model? Cloud or On-premise?

 

d. What’s the assumption with identity aggregation on Viber, telegram? Is mobile number and email good enough as basis of collected information?

 

e. Do you expect that these requirements are embedded in one unified solution? Or can these be decomposed, Then resolute in one analytics platform on top of the turn-key solution

 

f. Does the location awareness also being considered for a specific TOR browser user?

 

g. Is it possible to remove the Web Intelligence portion and include it in Phase 2 for us to comply with your budget?

a. It depends on the vendor as long as it complies with the Technical Specifications.

 

b. No

 

c. Hybrid (Cloud and on-premise).

 

d. Yes.

 

e. Yes.

 

f. Yes.

 

g. No.

144 Endpoint Security

 

a. It is not mentioned that the management or controller requirement for the endpoint security should be cloud or on-premise? Please clarify.

 

b It is mentioned below the no. of endpoints needs to cover. Please confirm if the endpoint license for 3 years should cover 15,000 Endpoints. Then you will just add further license on top of it if needed.

 

7.1.1.2.4.2. The endpoint security solution’s monitoring agents shall be deployed to 15,000 endpoints within the priority agencies.

7.1.1.7.9. The solution’s backup storage shall store backup data for six (6) months. It must be expandable to support three (3) years growth with fifty (50) agencies connected to the main CMS site, each with 1500 endpoints.

7.1.1.9.16. The solution shall support up to 15000 endpoints (1500 per agency)

a. Hybrid (Cloud and On-Premise)

b. Yes

145 Networking Monitoring

“Referring to item 7.1.1.3.1.5. and 7.1.1.3.1.8., It seems that there is a need for port or network aggregation solution required (ie. Gigamon or IXIA). Can you clarify and elaborate?

“”7.1.1.3.1.5. The solution shall be able to aggregate multiple 1GE links to one 1GE interface to increase the throughput of the links in a passive, non-intrusive manner.””
“”7.1.1.3.1.8. The solution shall be able to tag aggregate links using IP address ranges or VLAN tagging to allow identifying from which source a specific traffic arrived.”””

It will depend on the offered solution.
146 Detection Sensors

 

“What do you mean by “”Neutral List”” below? Please further elaborate?

 

“”7.1.1.3.2.1. The solution shall support White List, Black List, and Neutral List to optimize detection by lowering false positives:””

“”7.1.1.3.2.4. Neutral List – network identifiers that should not be in the Black or White Lists (alert will pop).”””

Neutral List is a set of IP addresses which attempted to access the server that needs to be validated.
147 Log Collection and Correlation

a. It is not mentioned that the Log collection and Correlation requirement is residing in cloud or on-premise? Please clarify.

b. Can we request for the more detailed assumptions of how the target agencies assets will look like? If possible, to decompose the items such as; users, hosts, desktop, laptop, mobile, firewall, network peripherals, IPS, IDS, Endpoint security. Whichever is relevant for the agencies to be onboarded

c. It is not mentioned the size requirement for the Log collection and Correlation in EPS (Event per Second). Please provide EPS sizing. And specific quantity of 3rd party data source needed per agency for log ingestion

a. Hybrid (Both Cloud and On-Premise). The log correlation is only for the core.

 

b. This information will be disclosed to the winning vendor.

 

c. This information will be disclosed to the winning vendor.

148 Forensics

 

a. It is mentioned in section 7.1.1.5.5.6. The solution shall have a retention period of thirty (30) days. –> Please clarify if this includes Full PCAP or just network metadata events

 

b. It is mentioned in section 7.1.1.5.5.6. the recording speed for packet capture must be up to 20Gbps–> Please clarify if this will be the needed throughput capacity per agency that requires full packet capture

 

c. Do we need to provide full packet capture for 10 priority agencies or just for DICT

a. Both full PCAP and Network Metadata events

 

b. 20 Gbps will be the needed throughput capacity for the 10 priority agencies that requires full packet capture.

 

c. Both

149 Disaster Recovery Management System

 

a. What is the scope of the DR site? Will this be hosted by the vendor?

 

b. Will the whole CMS be replicated? If not, clarify the components to be replicated in the DR

 

c. Is the 13TB based on a 1-year or 3-years sizing?

 

d. Are we going to provide a different storage (SAN) in the CMS aside from the Data Lake?

e. Will the connectivity to the DR site be provided by DICT?

 

f. What is the interval of the snapshots?

a. The scope of the DR site shall include back-up and all components of the core. This is composed of two storages: on-premise and cloud. The vendor shall provide a user account for the cloud-based DR site upon delivery.

 

b. Yes

 

c. Kindly Refer to the requirements stated in the Technical Specifications.

 

d. No. The storage will be the data lake.

 

e. No

 

f. Almost real-time or within an hour.

 

150 Storage (Data Lake)

 

How much usable space needed for the Data Lake?

Kindly Refer to the requirements stated in the Technical Specifications.
151 Distributed Denial of Service (DDoS) Protection

 

a. Do you have any external facing applications/servers that a DDoS will protect?

 

b. There was a mention of integration of network firewall and WAF,
(1) Will there be application that we need to protect inside network? (2) Any applications that will be provided to the agencies?

 

c. Are the list mentioned are on-prem?
(1) Web, DNS, VoIP, SMTP?

(2) What applications will be running inside the network?

 

d. How many Class C address ranges does DICT need to protect?

 

e. Is the clean bandwidth from the off-prem provider 500Mbps?

 

f. How many ISPs will be installed?

 

g. Would you have your own ASN number? or is it just static?

Any Digital assets of the SOC that has connection to the internet should be protected by DDOS. This will be also identified by the winning vendor since they will be providing the solutions.

 

a. None

 

b. Strong and premium firewall and WAF should be installed. Applications inside the SOC will be also protected by end-user agent for protection.

 

c. (1) Yes (2) Applications running inside the network are mostly the soc systems and core solutions.

 

d. The assumption will be 15,000 among the 10 agencies. DICT has 255 subnet class C IP addresses.

 

e. At least 50 Mbps to 100 Mbps

f. 2

 

g. No

152 Network Infrastructure

 

What are the individual specification requirements for Access/Distribution and Core Switches?

Please refer to the Technical Specification. In addition to it, the vendor shall make assumption that whatever solutions they will be delivering based on our TOR specifications adjustment on core switches, access etc. shall fit to the solutions.
153 ADC

 

What will the ADC do?

 

a. Can you provide throughout/tps for proper sizing?

 

b. Applications involved?

a. 60Gbps/35Gbps L4/L7 and 12 Gbps software compression

 

b. All ADC solutions will be based on what the vendors will provide. DICT expects the ADC to have the ability to load balance servers, web technologies and security applications.

154 VA/PT

 

How often will the VA scanning for the agencies?

At least once a year or when there is some major changes to the entry systems.
155 SOC Fit-out

 

a. Does fit out include power related requirements? If so, please state the components

 

b. Can we offer larger display or better resolution for the video wall/display requirements?

 

c. Will fit out include the ground floor? Is structure cabling included?

 

d. Can we request for “as-built floor plan” in cad file?

a. The electrical wiring has already been provided for tapping. The power rating will depend on the provided solution.

 

b. Yes

 

c. Yes

 

d. Cannot be provided

156 Security Operations

 

Will Security Operations be co-terminus with the 10-months duration? Coming from the Schedule of Requirement (page 70), formal SOC Operations may only start after the Operational Stress Test. If SOC Operations will be co-terminus with the 10 months duration, does this mean that SOC Operations will only be for 3 months? If not, what SOC Operations duration do DICT envision that is covered by the current ABC? If this is the “3 years” indicated in section 9.1.1 (page 126), please confirm because this duration outlives the “10-months delivery period”. Will Security Operations be co-terminus with the 10-months duration? Coming from the Schedule of Requirement (page 70), formal SOC Operations may only start after the Operational Stress Test. If SOC Operations will be co-terminus with the 10 months duration, does this mean that SOC Operations will only be for 3 months?

It is 10.5 months. The basis of year 1 will be the turn over date of the solutions to the end users.
157 It states that SOC Operations will include “at least one (1) personnel for each tier from Tier-1 to Tier 3, and another one (1) personnel that will act as Supervisor”.  Will the vendor only need to provide 1 person per Tier, or does it have to consider the 24×7 shifts, i.e. For Tier-1 alone, 1 person per Tier per Shift really means 5 persons to man a 24×7 operations? The vendor will only provide 1 person per Tier and 1 Supervisor for a total of 4 personnel with consideration of the 24×7 operations.
158 General Questions

 

a. Please clarify the license that DICT will purchase for the agencies per year, the stated license required is 15,000 for 10 agencies, do we include the additional 40 agencies on the 2nd and 3rd year?

 

b. How many concurrent devices needs to be scanned per agency?

 

c. For the warranty, will it cover 24 months or 36 months?

 

d. Would DICT supply the hardware for the agencies for the collector and threat protection?

a. This number will be changed once we see the actual average from the year 1 of SOC build up and end-user protection. 15,000 will be distributed within 3 years.

 

b. The solution shall have the option on the number of devices to be scanned. This will depend on the agreement between the agency and DICT.

c. 36 months (3 years)

 

d. Yes, log collectors (HW) will be deployed to agencies.

159 Schedule of Requirement

 

May we request for at least additional 15 days to accommodate the civil works for the build and fit-out of the SOC room? Upon checking this scope is not included in the milestones declared in the bidding documents.

The civil works and fit-out will be in parallel with other deliverables.
160 1. Network Protection Tools

 

Can you confirm that the requirement for this is for the SOC only?

Yes, the network protection tools will be placed in the SOC only.
161 3.4. The Vendor shall equip the SOC with cyber security tools for the SOC networks own protection such as but not limited to Firewalls, Anti-DDoS Protection, SOC Platform, Endpoint and Network Security, and Network Advanced Threat Protection. Scope of work indicates SOC only coverage. Thus, may we request that the technical specifications of auxiliary systems must be adjusted accordingly? No, the technical specifications of the project cannot be adjusted.
162 5. SOC Layout

 

a. Can we modify or improve the design of the SOC layout?

 

b. Please advise earliest possible date to conduct an ocular visit?

 

c. Is it possible to work during weekends for the civil works?

 

d. Is there any existing cooling unit? If yes, can we utilize the existing ACU?

 

e. Is there an existing electrical panel board on the SOC location? If yes, can we change the capacity of the breakers

a. No

 

b. We won’t be allowing ocular visit.

 

c. Yes

 

d. Yes

 

e. There is an existing electrical panel board at the first floor of the building. Another panel board shall be provided at the second floor where the SOC will be located.

163 6.2 The solution shall cater three (3) years growth and shall support a minimum additional twenty (20) agencies each year.

 

Please confirm that the requirement for this bidding is for the Phase 1 only and that the solution will only be upgradeable/ expandable or Phases II & III. Meaning the hardware and software for Phases II and III are out of scope from this tender.

The requirement for this bidding is for the Phase 1 only. The Phases II and III will have separate biddings in the coming years.
164 6.23 hybrid-based solution and ensure availability for 99.9%

 

Please confirm that the 99.9% availability is for the SOC only and not to the network protection tools.

The 99.9% availability is applicable to all components of the project.
165 7.1.1.2 Network Protection Tools

 

Can you confirm that these are for the protection of the SOC itself only?

The SOC is generally an isolated environment with a very small portion of its activity depending on open Internet connectivity. The small activity that depends on the Internet requires protection against Internet common threats, as typically supported by the FW, the Proxy and the End Point tools such as AntiVirus. The currently requested protection
technologies are not relevant for such a setup, quality and quantity wise.

Yes, the network protection tools are for the SOC itself only.
166 7.1.1.2.1. Next Generation Firewall (200 Gbps Firewall throughput)

 

We understand that for scalability and future growth consideration, we need a next generation firewall that would be able to accommodate up to 40 more agencies. The expected traffic between the Agencies sites and the N-SOC main site is 20 Mbps per agency, so the total bandwidth for 10 agencies sums up to 200 Mbps. In that respect, a 200 Gbps firewall throughput is very big. In addition, equipment with this type of capacity will cost a lot and will not meet the ABC taking into consideration other components, such as Data Center fit out. (ref. 7.1.1.2.1). We share the same comment/concern with other bidders. May we request to change the requirement to 2 Gbps, to support future expansion as well?

The requirement for the Next Generation Firewall should be 20 Gbps.
167 7.1.1.2.1.1.7. The solution shall be able to identify unknown malware by using multimethod detection technology, such as static, dynamic, and bare metal analysis.

 

Can we offer an equivalent multi-method detection used by our firewall solution?

Yes.
168 7.1.1.2.1.1.17 – Application control and URL Filtering security rules must be unified for easy configuration and is able to categorize more than 200 million URLs sites which can support multiple categories by creating a filtering rule and creation of filtering for single site by multiple categories

We would like to request a range of 10 million to 200 million URLs site that can be categorized. Different firewall solution has it’s own value

We will stick with the original requirement. Kindly Refer to the requirements stated in the Technical Specifications.

 

169 7.1.1.2.2.1.4. The solution shall have a scrubbing center located in the cloud to provide the volumetric DDoS protection. 7.1.1.2.2.1.6. The solution shall have on premise protection against volumetric, state-exhaustion and application-layer DDoS attacks.

 

Can we offer a Cloud based DDOS solution? It is more effective in terms of cost and functionality in this early stage compare to having an on-premise solution. The above two sections are already covered by cloud-based solutions.

The solution should be hybrid (combination of cloud and on-premise)
170 7.1.1.2.2. Distributed Denial of Service (DDoS)Protection

 

The NGFW includes DDoS functionality, which per our experience and best engineering judgment suits well the required SOC protection, including the future expansion. May we reference these specifications to the DDoS function in the NGFW?

No. DDOS functionality in the Firewall is an added specification to the Next Generation Firewall but we want full security measure in our network that’s why we added another DDOS Protection tool in the project.
171 7.1.1.2.2 Distributed Denial of Service (DDoS) Protection

7.1.1.2.2.3. Platform Architecture

7.1.1.2.2.3.2. The solution shall provide at least 1.5Tbps of dedicated attack capacity.

 

The required 1.5Tbps DDoS is a Carrier Grade, intended for ISP servicing millions of subscribers. This equipment is very expensive (multi-million-dollar equipment) and might take most of the ABC and is a huge overkill if it the intention is to protect only the SOC. To our opinion to protect the SOC itself, the DDoS which is implemented inside the Firewall is sufficient and effective enough and that there’s no need to require a separate DDoS. With this, may we request to just remove the requirement for 1.5Tbps of dedicated attack capacity? There’s no official documentation in terms of the datasheet of DDoS Protection solution.

Please see table below for changes in provisions.
172 7.1.1.2.3. Network Advance Threat Protection

 

The NATP performs the same tasks as the Monitoring tools (7.1.1.3), which will be the main cyber protection for the agencies and DICT itself. This multi-million $ system seems as a duplication and takes a major part of the ABC. Thus, may we suggest that this requirement be removed from the TOR?

No.
173 7.1.1.2.4.2 The endpoint security solution’s monitoring agents shall be deployed to 15,000 endpoints within the priority agencies.

May we request to remove the monitoring agent for 15,000 endpoints? As discussed during the Prebid, each agency will have each own endpoint protection. What they need would be a solution that has “sensors” which is the solution to monitor the activities of each endpoint. These sensors are already included in our CMS solution.

Yes, the end-user will need sensors that will deployed in the priority agencies. These sensors will also include monitoring agents as part of the technical specifications in the tor and this sensor will also do forensics (Endpoint and Network), C&C, and lateral movement detection as part of it capabilities.
174 7.1.1.2.4.8. The monitoring agents shall be capable of deploying in different Operating System (OS) such as but not limited to Windows, MAC, and Linux.

Can you confirm that the monitoring agent’s OS support will be based on the proposed SOC (servers)?

No, since the monitoring agents can be deployed to different Operating Systems, then, the monitoring agents can also be deployed to servers for further monitoring.
175 7.1.1.2.5 Intrusion Prevention and Detection System (IPS/IDS)

 

The NGFW includes IDS/IPS capability, which per our experience and best engineering judgment suits well the required SOC protection, including the future expansion. May we propose the NGFW IDS/IPS function in compliance to this requirement?

No. IDS/IPS functionality in the  Firewall is an added specification to the Next Generation Firewall but we want full security measure in our network that is why we added another IDS/IPS protection tool in the project.
176 7.1.1.2.6. Application Delivery Controller (ADC)

 

The Application Delivery Controller (ADC) is not applicable for the SOC environment. We recommend removing this requirement.

Noted, but the ADC will remain.
177 7.1.1.3.6. Log Collection and Correlation

 

32. For SIEM, please provide the required MPS (messages per second) for proper sizing.

Please refer to the requirements stated in the Technical Specifications.
178 7.1.1.7. Disaster Recovery Management System

7.1.1.7.1. The Vendor shall provide disaster recovery site for the SOC.

7.1.1.7.2. The backup storage shall be a standalone storage SAN appliance, connected to the
CMS.

 

a. Is the DR site already existing?

 

b. Is the DR solution to be provided cold backup and restore of CMS data?

 

c. Who will be handling the installation of the network link from the main CMS site to the DR site?

a. No

 

b. Yes

 

c. The Vendor

179 7.1.1.9.1. The solution shall have at least a 3 GHZ+ processor.

7.1.1.9.2. The solution shall include at least 32GB RAM and 256 SSD x 3 GB available disk space which increases with VM target on a certain device.

 

May we request to remove these specifications as an on-premise solution will be cost prohibitive compared to the cloud based counterpart?

We need this hardware on premise for doing  our VAPT both from onsite and offsite.
180 7.1.1.7.16. The solution shall have the capability to support and continue the main SOC’s operation in case of disaster or emergency.

7.1.1.7.17. The DR management system shall include real-time backup and power management in case of emergency.

 

Please confirm that the DR solution should include only cold backup storage, in Phase 1, as stated in the pre-bid conference last June 7, 2018.

Please refer to the table below for changes in provisions.
181 7.1.1.8. Storage

 

The Data Lake requests refers to SIEM but there is no SIEM requirement mentioned in the Technical Specifications, thus, may we request to remove these specifications?

See specifications for log correlation.
182 7.1.1.9. Vulnerability Assessment and Penetration Testing (VA/PT) Tool

 

Can this be a cloud-based solution?

Yes, but a computer dedicated for VAPT must be provided
183 7.1.1.9.5. The solution shall be able to connect and operate with physical hardware in an effort to perform security testing on non-ethernet based systems.

 

May we request to remove the “non-ethernet based systems” since we are monitoring endpoints with IP addresses.

The specification for this will remain the same.
184 7.1.1.9.7. The solution shall automatically adjust its scans’ intensity according to how devices react, to avoid overloading them with scan traffic.

 

May we request to remove the phrase “it automatically adjust its scans’ intensity according to how devices react”, since we can manually set a particular scan to a considerable interval throughout the process?

The specification for this will remain the same.
185 7.1.1.9.16. The solution shall support up to 15000 endpoints (1500 per agency)

 

We request to lower number of endpoints to a more realistic figure, e.g. 7000 – 10000, in order to maximize the ABC, and cost effectiveness (avoid oversubscription)

Please refer to the table below for changes in provisions.
186 7.1.1.9.21. The solution shall identify presence of Load balancers, firewalls or other L3 devices during scan.

 

May we request to include the firmware and version of the devices because in this way, we can automatically identify if the solution is load balancer, firewall or other L3 devices?

Vendor shall provide any solution as long as it has features listed on the TOR
187 7.1.1.9.22. The solution shall provide Real-Time Correlation of Active Threats Against Vulnerabilities detected in the environment

 

Can we offer a cloud-based solution?

Yes
188 7.1.1.10. Network Infrastructure

 

May we request to remove these specifications? We/ the bidder, will just provide the network infrastructure required to support our offered solution, taking into consideration future expansion?

Exact or better solution.
189 9 Operation

9.1.1 Staffing of CMS Team for 3 years

 

a. May we request to change the requirement to 1-year Staffing of CMS Team only, as mentioned during the pre-bid conference?

 

b. Please advise the exact number of analysts required for 1 year.

a. Staffing of CMS Team will remain as stated in the Technical Specifications.

 

b. The vendor shall provide 1 analyst per Tier and 1 Supervisor for a total of 4 staff.

190 10 Warranty

10.2 Warranty issued in each component in the core shall be valid for twenty-four (24) months

 

Please confirm if the requirement is for 2 years or 3 years, since req. 10.2 is inconsistent with 12.1 and 12.2

Please refer to the table below for changes in provisions.
191 12 Licenses and Support

12.1 3 years perpetual license

 

Please confirm if the Perpetual License mentioned here is only for the inherent
features, such as firewalling and WAN link load balancing in the case of the Next Generation Firewall.

Licenses and Support, and Perpetual license will cover all physical equipment and software installed in the SOC. This also include the sensors and monitoring agents installed in the priority agencies’ network.
192 17 Service Level Agreement

 

We would like to suggest that workaround, which will allow full functionality may be
accepted as Resolution time to a problem, while permanent resolution will be
implemented on a longer time?

We will stick to the requirements in the Technical Specifications.
193 May we request for the throughput of the following devices?

1. IPS/IDS

2. NAPT/Sandboxing

3. ADC

4. DDoS

1. 3 Gbps inspection throughput (upgradeable up to 40Gbps via license)

2. 4Gbps

3. 20 Gbps application throughput, 450k connections per second and Full proxy load-balancing and context-switching solution

4. Throughput = 40Gbps and shall automatically reroute attacks greater than 40Gbps to cloud based scrubbing location.

194 Under Deployment Section, item 6.19 (pg. 78) stating “The solution software (SW) components should be agnostic to hardware (HW) components and vice versa.”, we believe that the intent of this clause is to provide DICT the option to make use of more cost-effective solutions besides proprietary HW-based solutions as needed. For services that are both available as cloud based and on-premise by dedicating exclusive hardware components, we are proposing to use and take advantage of the cloud solution.

 

Based from experience and recent trend in IT, using cloud solutions can bring improved uptime and reliability at a lower cost than investing massively on physical hardware and other traditional IT infrastructure which has an equivalent maintenance cost.

 

Thus, for VAPT, our proposed solution will require less hardware resources than what is stated in the ff items:

7.1.1.9.1

7.1.1.9.2

7.1.1.9.3

7.1.1.9.8.5

 

We would like to request the items above to be consolidated and stated as: “The software solution should run on an industry standard server and operating system platforms.”

Please refer to the table below for changes in provisions.
195 For item 7.1.1.9.8.4, we would like to request it to be restated to: “The solution shall be available in either hardware OR virtual appliance version.” Please refer to the table below for changes in provisions.
196 For the following items:

 

7.1.1.2.1.1.5. The solution shall have a correlation engine that looks for predefined indicators of compromise network-wide, correlates matched indicators, and automatically highlights compromised hosts, reducing the need for manual data mining.

 

7.1.1.2.1.1.7. The solution shall be able to identify unknown malware by using multi-method detection technology, such as static, dynamic, and bare metal analysis

 

7.1.1.2.1.1.8. The solution shall be able to provide context around attacks, such as who is the attacker, the campaigns it is involved, and including which industries are being targeted

 

7.1.1.2.1.1.9. The solution shall have “indicators of compromise” (IOCs) tagging for alerting organization when a specific threat has been observed in the organization or similar industry.

 

7.1.1.2.1.1.20. The solution shall identify unknown malwares and analyses it based on hundreds of malicious behaviors, and then automatically create and delivers protection.

 

Although the above features bring many benefits and enhanced protection against the growing number of threats, such features may have the added disadvantage of being labor-intensive to manage, hence adding to operational costs.  We would like to request that the above items be removed for the Firewall requirement as the functionalities mentioned shall be covered by the Network Advanced Threat Protection section 7.1.1.2.3.

These items will remain in the Technical Specifications.
197 For item 7.1.1.2.2.1.6. The solution shall have on premise protection against volumetric, state-exhaustion and application-layer DDoS attacks.

 

We would like to request to have the above section be restated as: “The solution shall have on premise protection against volumetric, state-exhaustion and application-layer DDoS attacks up to 40 Gbps, after which can automatically notify and reroute attack traffic to cloud based scrubbing location.” The reason being that the traffic generated by a DDoS attack can be significant, more than 100 Gbps is not uncommon. This means any DDoS protection device needs to have a large capacity to be able to prevent a relatively rare event from occurring.

Attack rerouting feature should exist aside from the on premise DDOs protection
198 For item 7.1.1.7. Disaster Recovery Management System

 

 

7.1.1.7.1. The Vendor shall provide disaster recovery site for the SOC.

We would like to clarify whether this will be a cold site for the portable CMS or just a cold backup of CMS data. This is to confirm that DICT will be using their own DR site and vendor will only be setting up the cold backup in DICT’s DR site.

The Disaster Recovery Site shall be a cold site of CMS wherein it should have the same functionalities except for the forensics.
199 1.  How many servers?

2.  How many laptops/desktops?

3.  How many mobile devices?

4.  How many database and what database?

5.  How many and what file servers?

6.  How many and what apps?

7.  How many admins required per level of NoC Security (L1 to L4)?

Under Deployment Item 6

6.2 Vendor should include all necessary hardware, system storage, database, and backup for the software or system in order to ensure continuity of operations.

 

With the statement above for individual cybersecurity software to be delivered comes with servers, storage, backup already configured.

1. How many servers? 17

2. How many laptops/desktops?

10 workstations for Analysts (L1-L3):

– 1 work station for SOC manager

– 1 workstation for Info desk

– 1 workstation for supervisor

– 1 laptop for VAPT
– 1 backup laptop

 

3. How many mobile devices? None.

4. How many database and what database?

– Case management system database

– Forensic database

– Database for artificial intelligence/machine learning based on the solution.

– Other required by the security software solution

 

5. How many and what file servers?

– Storage Server for Physical Security (CCTV)

– Storage server for access of finger vien biometric and access pad

– Other required by the security software solutions

6. How many and what apps?

7.  How many admins required per level of NoC Security (L1 to L4)?

– 1 Supervisory access

– 1 for SOC manager

– 1 for SOC director

– Head of Cybersecurity Bureau

200 Video Wall Display: 1.25mm Bezel. None available in the market yet, but announced, the timing might be an issue. Please clarify if 1.25mm Combined Bezel (Bezel-to-Bezel), or same with the other video wall panel requirement (Bezel Width: Maximum of 2.25mm (left/top) / 1.25mm (right/bottom). Slimmest in the market standard is 1.8mm Combined Bezel for LCD. Please refer to the table below for changes in provisions.
201 (8.5.6) Since this is supply and install, it says POE, but shouldn’t it be POE or with PSU Supplied? Should consider PSU aside from POE. POE or PSU will do as long as this will suffice the requirements and the equipment can be integrated into the system
202  (8.9) Smart Board TV: There is no mention that it should be built-in PC. Is it safe to assume a Slide-In PC/Module or NUC is acceptable? Technical Specifications for this will remain the same.
203 (8.11) CCTV. This is an analog CCTV spec. Are they really ok with that? Can we propose an IP CCTV Solution? Also, for the sake of uniformity with the cables instead of oddly putting coaxial cables. Yes, we can allow a better solution as long as it will help the monitoring of the facility.
204  Lighting components included? Facility already has lights. Any additional requirements for lighting need to be considered when physical components are installed
205 Ceiling included? Additional requirement should be installed when equipment / devices needs it.
206 Elevation details needed for sizing. Please refer to the blueprint.
207 Reflected Ceiling Plan if available This is not available. Please understand that any physical solutions that the vendor will provide shall make any constructions to meet any requirements of that solutions.
208 We need structured cabling details, how many nodes etc. Please see attached diagram for this.
209 Raised Floor? Who will provide Flooring? The vendor.
210 If possible, Workstation outputs should be HDMI or DVI. Whichever is applicable
211 (8.5) Video Wall Control System. VW control system needs a server hardware since it would have a management server to do the layouts and processing of signals as well as routing. Need to have 1 Server hardware with min. specs running Windows Server 2012. Will we include in the quote? Any requirements needed for the solutions to be delivered to work shall be provided by the winning vendor. We only require there will be a clear documentation and specifications.
212 (8.10) What is the source of the Display for the SOC manager and assistant secretary? If part of the video wall to see video wall contents it needs to have receivers at least. 1 video wall for soc manage on his office. any requirements needed for the solutions to be delivered to work shall be provided by the winning vendor. We only require there will be a clear documentation and specifications
213 (8.9) What are the sources of the Smart Board TV? With this, you can only present using the built-in PC, or NUC added. You cannot present using own laptop since there is no provision for tabletop connectivity or even wall plates or wireless presentation. Also, will this show data from the video wall? If yes, this needs a receiver as well. any requirements needed for the solutions to be delivered to work shall be provided by the winning vendor. We only require there will be a clear documentation and specifications
214 Audio: There are no audio provisions. There is no PA/BGM or even provisions for Audio in the video wall area (Operator Area) and only TV Speakers in Boardroom. No conferencing or playback capability? Any requirements needed for the solutions to be delivered to work shall be provided by the winning vendor. We only require there will be a clear documentation and specifications
215 2.1.3.5. The Vendor shall provide a valid certification from at least two of their clients to prove that they performed cyber forensic investigations specifically external attackers.

 

a. DICT: An Affidavit that project happened shall be submitted.

 

b. Question: In the affidavit, is it possible to just indicate the industry where the clients belong, since we still cannot include the client name nor make them sign the document as we are bounded by a Non-disclosure agreement.

 

c. DICT: Include in the bid docs the contract covering the client name. Then upon bid opening we need to show only the original contract to validate.

 

d. COMMENT: Are there any other alternative means from DICT for us to provide the details of the contract since we are also bound by a non-disclosure agreement with the client.

An affidavit stating that the bidder has performed cyber forensic investigations specifically involving external attackers for at least two (2) clients should be submitted instead of the valid certification from at least two of their clients. Please refer to the table below for the changes in provisions.
216 9.1.1. The Vendor shall assist DICT in staffing the CMS team in three years up to a complete transfer of knowledge is achieved. This shall include at least one (1) personnel on each tier from Tier-1 to Tier-3 and another one (1) personnel that will act as a Supervisor.

 

Questions:

 

a. Can we make the term of the transfer of knowledge 1 year instead of 3 years?

 

b. Is there a CV format?

 

c. In the CV, shall it already include the names of the specific analysts/supervisor?

 

d. Is the Shift Manager same as the Supervisor?

 

e. Will we provide only for the Tier 1 – 3 and supervisor? How about the SOC Manager?
f. Will DICT hire the team or will they be outsourcing them to us?

a. 3 years is needed.

 

b. We have not indicated CV format.

 

c. Please include names

 

d. No

 

e. What we need is the analysts from tier1 to tier3. The SOC Manager will be coming from the DICT.

 

f. We need analysts from tier 1 to tier 3 and a supervisor from the vendor that will supervise the DICT team during its operation for 3years.”

217 Please find below additional recommendation to the BAC.

In the current payment terms, there is only 10% allocated to the onsite delivery of all hardware and software.  In projects like this, the hardware and software components are usually 60% to 70% of the total project costs.

May I there humbly suggest that the payment terms be modified as follows to reflect the percentage f delivery of the project components.

Upon onsite delivery of all Hardware/Software

Current: 10%

Recommended: 55%

 

Upon completion of installation and configurations

Current: 10%

Recommended: 5%

 

Upon completion of agreed testing

Current: 10%

Recommended: 5%

 

Upon Execution of VAPT to the Cybersecurity Management System’s Network

Current: 5%

Recommended: 5%

 

Completion of Testing to the Cybersecurity Management System’s Network

Current: 20%

Recommended: 5%

 

Upon Installation and Configuration of Hardware/Software to the Priority Agencies

Current: 10%

Recommended: 5%

 

Upon completion of operational stress test to the Cybersecurity Management System and Priority Agencies Network

Current: 15%

Recommended 10%

 

Upon completion of knowledge transfers and submission of as built plans, operations and maintenance manuals, warranty completion of training sessions

Current: 20%

Recommended: 10%

Please see table below for the changes in provisions.
218 Does the end-user requires the monitoring of email traffic for DICT and the other 50 agencies? If yes, what is the estimated average of daily mail traffic for DICT and the other agencies that will be monitored? No.
219 In terms of connectivity of DICT to the other agencies and vice versa, what is the minimum and maximum internet speed that will be use? 50mbps – 100mbps
220 Section 6 – Schedule of Requirements

 

a. 1st Milestone is delivery of Hardware/Software – How about the Construction of Data Center prior to delivery of the equipment?

 

b. 5th Milestone is Hardware/Software Delivery to Priority agencies and 6th Milestone is Installation and configuration of hardware/software to Priority Agencies – Will DICT ensure that priority agencies are ready for the activity on the indicated schedule?

Priority agencies will be ready.
221 Section 7 – Technical Specifications Section 3 – Scope of work item 3.2 and 5 Page 75

 

Includes CCTV, civil works, structure cabling, etc.

 

SOC Layout

 

a. Will DICT provide all electrical requirements to support all equipment provided?

 

b. Will DICT provide the aircon requirements for the hardware?

a. Civil works shall be done simultaneously with the delivery of Hardware and Software to the Main SOC.

 

b. Yes, DICT will do the coordination to the Priority Agencies and will make sure that they will know and will comply on the requirements of the project.

222 Section 7 – Technical Specifications Section 6 – Deployment Page 77

 

For the 1st year, the solution shall cover ten (10) organizations in up to ten (10) different physical sites. These organizations are DICT, NSC, DND, DFA, PCOO, OP/PMS, DOE, DBM, DOF and NICA.

Will DICT ensure readiness of the 10 physical sites?

Yes, DICT will do the coordination to the Priority Agencies and will make sure that they will know and will comply on the requirements of the project.
223 Section 7 – Technical Specifications Section 6.7 – Deployment Page 77

 

The solution shall allow for distributed deployment, where the different subsystems can communicate over WAN (in case dedicated private lines of fiber are not available).

 

What does this require? Is this related to the installation of the 10 agencies?

Yes, this statement pertains to the communication of the core SOC to the 10 priority agencies
224 This is regarding the ongoing tender process related to the Cybersecurity Management System Project. Having gone through the technical and administration requirements in the Tender, Inter-Island Information Systems, Inc. (Tri.Ph) would like to highlight and contest 2 main concerns as identified in the tender material.

 

1. Provisioning of a 200Gbps Firewall

 

It is the opinion of Inter-Island Information Systems, Inc. (Tri.Ph) that the sizing of the firewall requirement is unnecessarily excessive. To our knowledge, there are currently there are no firewall implementations within the Philippines even remotely close to this sizing. With current internet pipeline capacity in the Philippines, a firewall of this size would be overly excessive. Furthermore, considering the many different components that are requested to be supplied through this tender, the compliance of providing a firewall of such size, would in our opinion result in unnecessary high costs to adhere to the request of DICT.

 

We believe that a firewall of a size of 50-80gbps would be ample to protect the operation of the SOC in question. In addition, there would be qualified staff and supporting staff to mitigate should there be an actual cyber-attack, whereby a 200Gbps firewall would not be necessary. We trust that DICT can see that such a request is within the realm of fairness and practical.

Firewall throughput is only 20GBPS
225 2. Proof of contract of similar project worth 50% of DICT Cybersecurity Management System project.

 

This requirement constitutes a challenge to adhere to, due to a number of reasons:

A. There are currently no similar projects of similar nature in the Philippines of this size, hence local contracts of this size at worst simply wouldn’t be available or at best very limited in number.

 

B. Projects of this nature are usually delivered with a combination of suppliers, which is also the case of current tender. Hence, it is only main contractor that combined will have the ability of showing contracts of such sizes and should any existing organizations with Cybersecurity management systems in place exist, then they could have purchased components individually and not as a common one large contract. Again, since Cyber Security contracts of this size in Philippines are extremely limited, this will place a natural hindrance of providing proof of such contract sizes.

 

C. Conversely, a single supplier will be a part of joint effort with main contractor, to combine various technologies and as such deliver a holistic solution. Thus, providing a single contract of equivalent of 5 million USD in of itself is too strict of a requirement.

 

D. The provisioning of components to the DICT project can arguably be seen as a scaling up of deliverables to other organizations, whether local or international, that may previously have purchased a smaller amount of components / deliverables. Hence the sizing of any singular previous contract does not necessarily constitute a showcase or ability to deliver components and their integration into a common project, as its simple a question of scaling with same elements.

 

E. This subject is further convoluted and made troublesome due to the nature of this project and the customers that suppliers supply to within this field of solutions and their respective field of expertise. Since customers would fall into security, national security, law enforcement, etc., then these customers are extremely reluctant to be referenced, let alone acknowledge purchased solutions and their contract sizes. This is particularly the case with larger contracts, which is exactly what DICT is demanding to see proof of.

 

F. Furthermore, and more importantly, it is common practice that very stringent NDAs are in place between suppliers and customers, NDAs that not only prohibit the disclosure of contractual details, but in and of itself specifically states that the NDA must not be disclosed. Demanding and enforcing suppliers to disregard these NDAs and understandings with their existing customers, and thus disclose contractual arrangements, simply cannot be circumvented by the suppliers to this tender – regardless of method, whether copies of contracts, NDAs, affidavits, etc.

 

As a compromise to this dilemma and reasoning as above, Tri would like to suggest that the singular 50% contractual proof of similar projects be levied and changed to a 25% accumulated contractual value.

 

OR

 

…be levied and changed to a 50% accumulated contractual value from suppliers and partners jointly providing their products and services in this bid.

 

We and our partners feel confident that documentation to this effect can be provided satisfactory and should serve the purpose of proving to DICT that similar projects of a certain size has been delivered to other clients. We trust that in the interest of providing a well-tested and previously implemented technology solution that such a compromise is satisfactory and serves the purpose as the stipulation of requirement initially and originally was designed for.

Please see table below on the changes in the provisions.
226 Bid Data Sheet, ITB Clause 21

 

We humbly ask the honorable DICTBAC4G&S to consider our request for extension of bid submission and opening until 31 July 2018 because we are still in process of securing the necessary Philippine documents for our foreign joint venture partner (i.e., Tax Clearance and PhilGEPS registration)

The submission of bid as per Supplemental Bid Bulletin No. 3 is 31 July 2018.
227 Technical Specification 6. Deployment

 

1. What are the total number of IPs of DICT and each of the agencies?

 

2. Can DICT provide a list of all devices as well for each of the agencies?

This will be provided to the winning bidder.
228 Technical Specification 7.1.1.1.3 Web Intelligence

 

7.1.1.1.3.2 What is “other media sites” Please provide detailed list

 

7.1.1.1.3.4 Please explain what it means.

 

7.1.1.1.3.8 What configuration

 

7.1.1.1.3.15 Please elaborate about the “etc.” and provide a detailed request.

 

7.1.1.1.3.16.1 Please clarify.

 

7.1.1.1.3.21 and 7.1.1.1.3.22 If you mean that the analyst will use the interface for interacting with the websites? So, our solution applies anonymous automatic web crawling. Thus, the solution enabling the organization to extract web information automatically and manual operations are minimized.

 

(Web Engagement) 7.1.1.1.3.37 to 7.1.1.1.3.47 If you mean that the analyst will use the interface for interacting with the websites? So, our solution applies anonymous automatic web crawling. Thus, the solution enabling the organization to extract web information automatically and manual operations are minimized.

 

(Analytics) 7.1.1.1.3.54 and 7.1.1.3.57 Needs clarification

 

7.1.1.1.3.58 What are the data sources

 

(Online Awareness) 7.1.1.1.3.61 and 7.1.1.1.3.62 Needs clarification

7.1.1.1.3.2 – Other media refers to other major sites that would help the analyst better gather valuable data. Vendor can add if not listed.

 

7.1.1.1.3.4 – SOC shall have the capability of having a realistic account that can be used to engage and login into social media account.

 

7.1.1.1.3.8 – configuration refer to solution that will allow analyst to pick what to track and continuously provide intel on the specified site or
transaction.

 

7.1.1.1.3.15 – etc. refer to anything that is not listed on this point ex. account last accessed or created. Please understand additional information from sources that would increase the value of the solutions are taken into consideration. This should be always one of the objectives of the solution provider.

 

7.1.1.1.3.16.1. – Solution shall provide something like crawling the internet that has a crawler definition that blocks google bot.

 

7.1.1.1.3.21 and 7.1.1.1.3.22 – No changes for this section. Vendor solution is the same with the item on these points

 

(Web Engagement) 7.1.1.1.3.37 to 7.1.1.1.3.47 – No changes for these points. Vendor points are the same.

 

(Analytics) 7.1.1.1.3.54 and 7.1.1.3.57 – no changes to this. For clarification the SOC need solutions that analyst can links person identity on social media to other suspected fake accounts. Bound for investigation.

 

7.1.1.1.3.58 – No changes. Any profiles from any social media that are allowed for scrapping.

 

(Online Awareness) 7.1.1.1.3.61 – System shall be able to assist analyst in investigation on current situation. A tool to scout the internet to near real time.

 

7.1.1.1.3.62 – Solution shall have the flexibility in producing results based on the criteria provided by the analyst.

229 8.12. Access Control Authentication

8.12.1. Finger-Vein Authentication

 

a. Can we offer an alternative proximity authentication apart from finger vein sensor? Upon checking the specifications are pointing to a Korean brand that has no local office or distributor in the Philippines. As such, we may have issues on the after-sales support of this product.

 

b. Do you require finger vein authentication for both computer login and door access control or only for the door access control?

a.  Original specifications will be retained as market research was conducted for several months before the pre-bid.

 

b. Finger Vein is only for the man trap door access control. Computer login can be different specifications.

230 Soc Desktop Package (9 units)

 

a. Can we offer a brand different brands for the Monitor and the CPU? Since upon checking the monitor specifications are only offered for consumer models of few brand labels?

 

b. For the Processor, we would like to request to change the Processor to Intel Core i7 because core i9 is not yet available Branded Workstations sold in the Philippines.

a. SOC desktop will remain since delivery of this will be in few months and this is a result of the team market research few months back.

 

b. Specifications will remain since SOC operation shall be on its full speed when in terms of desktops so that this will be useful for the next 3 to 5 years.

231 Due to Non-disclosure agreement (NDA), we can only provide the rest of the information without the name of the end user for the Single Largest Completed Contract requirement under Annex IA. We cannot also provide for Certificate of Performance Evaluation as required by Annex VII. May we request that we leave the name of the end user blank and that instead of the Certificate of Performance Evaluation, during post qualification, we can authorize a either a face-to-face meeting or phone call between DICT and end-user representatives to assure veracity of information. For the Statement of Single Largest Completed Contract, all the information stated in Annex I-A should be given.

 

For the Certificate of Performance Evaluation, this requirement is deleted.

232 For Section 9. Operation

 

Section 9.1.1. May we know how many staff from bidder will be deployed per shift? What is the definition of Tier 1, 2 and 3?

It is in the Technical Specifications. 1 level one analyst, 1 level two analyst, 1 level three analyst and 1 analyst supervisor.
233 For Section 8.4. Video wall display:

 

Section 8.4.1.4. May we know the definition of bezel-to-bezel gap? If the definition is the total bezel width of the 2 displays placed side by side, then may we request this to be at most 2.5mm? This is because the 1.25 mm. is just the industry standard bezel width of displays.

 

Section 8.4.1.9. Can the weight be at most 30 kg? This is a very small difference and the mount can carry the said weight. May we also request the option for packed weight? This is because most of the Video wall indicates only their packed weight.

 

Section 8.4.1.10. May we know if we can provide for alternative to VESA mounting ports, although the alternative does work the same as all other front-service wall mounts

 

Section 8.9.1.4.1 May we ask if we can provide the same or alternative technology to tempered glass, i.e., InGlass technology?

 

Section 8.4.1.11. and 8.10.13. May we request the power consumption to be extended to maximum of 180 watts, which is the standard for displays?

All specifications will retain as this was the result of the market research the team conducted several months ago
234 For Section 8.12. Access Control Authentication

 

8.12.2.1.7. Please explain how “First-in-unlock” rule enforcement works.

 

– Section 8.12.1.16. Can the camera be separated and not built-in to accommodate flexibility?

 

– Section 8.12.1.18. and 8.12.1.19. Can we relax the Operating Temperature and Humidity Requirements?

 

– Section 8.12.1.21. May we request the dimensions to be bigger?

All specifications will retain as this was the result of the market research the team conducted several months ago
235 IPS/IDS

7.1.1.2.5.3., 7.1.1.2.5.6, 7.1.1.2.5.7., 7.1.1.2.5.8., 7.1.1.2.5.10., 7.1.1.2.5.11., 7.1.1.2.5.13.

 

We would like to request that this item be removed for the IPS/IDS requirement as functionalities mentioned shall be covered by the Network Advanced Threat Protection Section 7.1.1.2.3.

If the capabilities of the solutions provided by the winning vendor after evaluation by the TWG exist on other appliance and software, then the suggestion by the vendor will be considered.
236 Since all the 10 agency will have log collector in place, are we assuming that the existing equipment for each 10 agency will do the configuration for their euipment
to point their logs to our log collector?
The deployment of the log collector on the 10 priority agencies would also mean this should work before vendor will turnover to the end-user thus configuring of the solution shall be fully functional.
237 Does the initial endpoint protection of 1500 covers the geo expansion of each
agency?
The based number of endpoints is 5000 during the first year and another 5000 for year two plus 5000 on the 3rd year. Geo expansion will only be realized once there is excess on the main set of protected endpoints.
238 For the disaster recovery site, does it follow the same equipment that should be
installed on the DR site?
There are only two DR sites. First is on premise. This DR composes of redundant copy of the major systems both hardware on software and its data collected and stored. The second is a cold site backup which is in the cloud. The cloud DR is only a copy of the systems and its data. Backup on the cloud does not include forensics.
239 Do you have a preferred sizing location for the disaster recovery site? On premise and in the cloud shall be able to cater realistic sizing.
240 Do we have to replicate the security equipments in the SOC to the DR site? In the posted Supplemental Bid Bulletin it was stated there that redundunt of the security solutions shall be delivered as well.
241 Does the FW, DDOS, IPS/IDS and APT needs to be deployed in 10
agencies as stated on the TOR?
Only Log collector, agents and forensics capability will be deployed in the 10 priority agencies.
242 Does the 2 years warranty starts with the delivery of the equipment? The warranty and support is 3 years. It will start upon the acceptance of the delivered solutions and equipment.
243 Does the UPS required to Server room? What would be the required
capacity?
Yes. We only require 10 minute power of the UPS that can cater servers
244 12.1 (b)(ix) Valid Certification from at least two (2) of the bidder’s clients to prove that they have performed cyber forensic investigations specifically involving external attackers

 

May we request to remove this requirement for the same reason which requires the us to submit/disclose sensitive information of our clients that may infringe the rules of the
contract with regards to the Security/ National Security for that matter?

This has been discussed during the pre-bid. Vendor shall only require to submit notarized affidavit without disclosing the client names. The provider shall provide two (2) Single Largest Contract (SLC) and each SLC shall have 25% of the project’s ABC.
245 12.1 (b)(vi) Certificate of Performance Evaluation (Annex
VII) showing a rating at least Satisfactory issued by the Bidder’s Single Largest Completed Contract Client stated in the submitted Annex IA May we request to allow submission of a Site
Acceptance Testing (SAT) document in lieu of the Certificate of Performance Evaluation
(Annex VII)?
To protect the end user we will retain the line item stated on this annex. This will assure the end user that vendor will be able to finish the project satisfactory or better.
246 7.1.1.2.1.1.10. The solution shall be capable of creating threat protections by directly exporting IOCs lists that can be automatically enforced as policy, and also imported to the
third-party.

 

Can we omit the “automatically enforced as
policy since all firewalls needs manual
intervention to create policy”? Also, we need to know what specific third party are you referring to?

The line in this number is a product of market researched by the team last year. End-user requires automation to combat huge threats and malicious packets. This line shall be retained.

 

Winning vendor shall provide support to the end-user. If there is a special case that IOCs need to be exported to new hardware or other government centers that IOCs should work.

247 Section 7.1.1.2.1.1.16 Security management application must only be
managed by administrator accounts and can co-exist with security gateway. Additional log
servers must be supported by gateway but
central logging and searches must be done on the security management appliance.
Otherwise, a browser-based access is a must. For easy viewing and basic settings
configuration, a front LCD panel display is a
must.

 

Requesting to remove “for easy viewing and
basic settings configuration, a front LCD panel display is a must”?
All firewall has visual indicators and uses out of band management and GUI based
management

If the firewall visual functions or features are the same with what we indicated then this line item will be satisfied.
248 7.1.1.2.3.4. Detection appliance OS software shall automatically be updated from the Web
management GUI.

 

Can we request to remove the term
“automatically”, since update of OS is being
done manually via web management GUI.

We will retain the said item. The detection and automatically updates of software and security solutions shall exist as features.of the any systems of SOC. Software nowadays comes with options such as automatic updates and manual update.
  7.1.1.2.3.47. The solution shall have the ability to be deployed in the following modes: IN-LINE
and SPAN / TAP

 

Fortisandbox is not an inline sandbox solution. We can probably request here to re-state it  this way : The solution shall have the ability to be deployed in ANY of the following modes or equivalent: IN-LINE and SPAN / TAP

This line has been updated on the supplemental bid bulletin to be more flexible. We cannot make this to ANY.

 

The system integretor shall look for solutions that will be able to meet the requirements.

249 7.1.1.2.6.14. Must have REST-style XML API support, TCL Scripting Support and Symmetric Multi-Processing Support

 

FortiADC supports LUA scripting, RESTful API and NUMA. Can we request to state “ANY” or the term “equivalent solution” in the statement?

We will retain the line item and features as this is a product of market researched of the team last year.
250 Section VI. Schedule of Requirements

 

Can we make the installation and configuration at least 1.5 months and the hardware/software delivery to priority agencies to 1 month? The total number of months will still be 10 months.

The Schedule of Requirements as stated in the SBB3 shall retain with hardware/software delivery for 1.5 months.
251 Section VI.

Schedule of Requirements

 

Do you have any particular test parameters in the conduct of the operational stress test or we will follow the stress test from the manufacturer of the product that we are offering?

None. We will follow the stress level test from the manufacturer of the product.
252 Section VII. Technical Specifications

Item No. 3.1. SOC Setupa. Does the building exist? If yes, please provide a copy of existing area to see if there are items to dismantle.

Which floor in the building?

 

b. Please provide as-built plan of structural, civil, electrical and mechanical works.

 

c. How many number of rack and what is the maximum capacity in each rack?

 

d. What is the capacity of the existing tapping point, if any?

 

e. What is the capacity of the existing genset, if any?

 

f. What is the existing grounding system?

 

g Can we schedule a site inspection? If yes, whom should we coordinate?

a. The 2nd floor of the building will be the location of the SOC. Only 4 airconditioners are installed at the site. The exisiting area is reflected in the provided Electrical Outlet Wiring Diagram.

 

b. We can only provide layout and diagrams of the aforementioned plans which were attached in the SBB3.

 

c. The quantity and specification of the racks are included in the published SBB3.

 

d. The electrical wiring has already been provided for tapping. The power rating will depend on the provided solution.

 

e. There is an existing genset. Specific details shall be disclosed to the winning vendor. The capacity can be adjusted depending on the proposed solution.

 

f. Specific details shall be disclosed to the winning vendor. The capacity can be adjusted depending on the proposed solution.

 

g. We won’t allow site visits.

253 Item No. 7.1.1.2.5

 

a. What is the throughput that the IPS should process/ handle?

 

b. Do you plan to connect it as Inline? TAP? Monitor port?

 

c. If it is in Inline mode, does it require to have a Failpen-Kits (Bypass)?

a. up to 20GPS when necessary

 

b. This line has been modified and lowered to accomodate more solution during the first supplemental Bid bulletin.

 

c. Please check item supplemental bid bulletin for changes.

254 Item No. 7.1.1.2.2.1.4.

 

Is it ok to have a Volumetric DDos Protection without a scrubbing center?

No, End-user like to have solution that will able to handle large DDOS that can be redirected to the cloud for flexibility.
255 Item No. 7.1.1.2.2.2.5.

 

Please clarify the intent of including such compliance for the solution itself? This seems different from solution providing PCI/DDS compliance report for DICT environment.

End-user like to have this standard to make sure we will cover this environment
256 Item No. 7.1.1.2.2.3.2.

 

What is the internet bandwidth at your location?

At least 200 Mbps bandwidth
257 Item No. 7.1.1.2.2.4.5.

 

Is there another SIEM existing prior to the solution? If so, which one?

None
258 Item No. 7.1.1.2.2.5.3.

 

Proxy and BGP/GRE Vendor needs to provide web interface for configuration.

Yes end user requires a web interface to configure the solution on this item
259 Item No. 7.1.1.2.2.5.4.

What is the current users count and what is the expected increase during the contact period?

No specific count. Users count will based from the 500 endpoints per agency per year which will sum up to 15000 by the 3rd year.
260 Item No. 7.1.1.2.3.5.

 

Please clarify the intent of including malware detonation for Threat Protection?

The purpose of malware denotation is to identify if a particular payload contains malware. This feature was based from the team’s market research
261 Item No. 7.1.1.2.4.1.

 

Is an agent based solution required? What if the solution is agentless?

We will retain the line item and features as this is a product of market research of the team last year.
262 Item No. 7.1.1.2.5.4

 

Please elaborate about separate filter and filter updates.

Aside from its initial embeded point of references IPS/IDS shall have feature that allows additional information that can be used to make capabilities more accurate in detection of anomalies.
263 Item No. 7.1.1.2.5.6.

 

Please elaborate about “before and after differential comparison or VM state is not acceptable”

The analysis of the malware shall be performed in runtime to avoid possible changes in the environment if done thru differential comparison or state.
264 Item No. 7.1.1.5.2.9.

 

This is the same as 7.1.1.5.2.8. Is it a mistake?

Item 7.1.1.5.2.9 will be omited.
265 Item No. 7.1.1.7.3.

What is the specifications of the backup storage appliance? (Appears to be 13TB as specified in 7.1.1.7.10)?

The backup storage specifications are stated in items 7.1.1.7.9 to 7.1.1.7.13
266 Item No. 15. Payment Terms / Progress Payment

 

a. Do we need to declare the following cost for each individual priority agencies? Our concern is that, what if there will be delays in the acceptance of all agencies, does it mean that we will not be paid unless the scope of work for all 10 agencies was completed?

 

– Installation and configuration of hardware/software

– Completion of operational stress test to the Cybersecurity Management System and Priority Agencies Network

 

b. Can we be paid based on the partially completed agencies (i.e., 8 out of 10 agencies)?

a. No, please use the  Detailed Financial Breakdown, as provided in the bidding documents

 

b. As stated in the Bidding Documents, the scope of work for all 10 agencies must be completed in order to acquire the corresponding payment.

267 For the supporting documents of the SLCC, can the contract be submitted (instead of the OR, End User Acceptance or Sales Invoice) to show the project completion date and amount?

 

The OR and the Sales Invoice only show the partial amount while the End User Acceptance does not show the amount.

 

The contract on the other hand provides the information on the project amount (needed to verify whether it satisfies the minimum required amount) and the completion date of the project. The contract satisfies the objective of the BAC to validate the information submitted by the bidder.

No. Only any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

 

a. Copy of end user’s acceptance;

b. Official receipt/s; or

c. Sales Invoice

268 7.1.1.3.6. Log Collection and Correlation 1. What is the network bandwidth for log collection/transmission from 10 agencies to SOC? Any limitation? 2. What is the expected EPS (event per second) from all 10 agencies? Any requirement on the EPS? 1. 50 Mbps-100 Mbps 2. This information will be disclosed to the winning vendor.
269 7.1.1.3.6.9. The solution shall comply with a globally accepted cyber security compliance standard/s.

 

May we know what is the expected “globally accepted cyber security compliance standard/s.”?

Globally accepted cybersecurity compliance standard/s shall mean guidelines and regulations related to information security and data protection which are recognized around the world such as ISO/IEC 27000 series, PCI DSS, CCM, NIST, and the like.
270 Item No. 7.1.1.1.1.7.

 

The requirement is to connect to the internal and external Data Sources. How many structured and unstructured data sources we have to connect to?

Threat Intelligence Feeds to the system solutions will be effective if it has a good number of sources. Vendor is expected to have capabilities and already has lists or use data sources before. Since this is a threat intelligence system, end-user requires at least 30 data sources coming from different sources. It is also specified in the TOR that no matter how many the resources to connect, the solution shall be able to filter these feeds and only those categorized as high risk will be evaluated by the analysts.
271 Item No. 7.1.1.1.3.60 – Popular blogs from around the world- Vbulletin

 

a. Can we be provided with a list or the minimum number of blog forms to provide?

 

b. Can we be provided with the number of Web forums and Dark-net forums?

a. A minimum of 10 popular blogs . However, solutions shall be able to easily add additional feeds from vbulletin and blogs as end-user believe this is a basic technology to include in the solution

 

b. A minimum of 5 darknet forums and web forums. However, solutions shall be able to easily add additional feeds from darknet forums and web forums.

272 Item No. 7.1.1.1.2.3

 

Can we be provided with the number of Web forums and Dark-net forums?Can we be provided with the number of Web forums and Dark-net forums?

Redundant question. :

 

a. A minimum of 10 popular blogs . However, solutions shall be able to easily add additional feeds from vbulletin and blogs as end-user believe this is a basic technology to include in the solution

 

b. A minimum of 10 darknet forums and web forums. However, solutions shall be able to easily add additional feeds from darknet forums and web forums.

273 Item No. 7.1.1.1.2.4

 

a. What are the Data Sources that we will be connected to? Will it just be open source as specified in 7.1.1.1.3.60?

 

b. If there are additional open source requirements, can we be provided with the list?

 

c. If the data is from internal and/or external data sources, can we be provided with the number of data sources?

a. Aside from feeds already listed in the TOR, Solutions shall be able to add more feeds. Vendor is expected to have these capablities.

 

b. There is no specific open source requirements. However, the end-user shall be able to add more open-source feeds to the data source list if needed.

 

c. System shall be able to handle an increasing number of data sources. Please be guided every year SOC will be adding a new set of government agencies.

274 Item No. 7.1.1.1.2.5

 

Kindly specify the required language

Top 10 spoken languages in the world. This will make threat intelligence feeds effective.
275 Item No. 7.1.1.2

 

a. For the Next Generation Firewall, it was mentioned that is should have 200GB throughput. But since there’s also a UTM, what should be the throughput?

 

b. What is the sizing for the SSL inspection?

 

c. For the 200GB throughput, is this the RAW support needed before any enforcement & detection engines are turned on (i.e. IPS, Sandbox, AVC, etc.)?

 

d. Is the endpoint protection management cloud-based on on-premise?

 

e. Should the sandbox services be on-premise, public cloud, or both?

a. NGF shall have atleast 20 GBPS Throughput. UTM is also 20GBPS

 

b. This is depending on the solution by the vendor. Please note that this solution shall be able to handle 50 agencies during the first 3 years of the operations of SOC.

 

c. NGF shall have atleast 20 GBPS. This is mixed data. Some of the data already filtered before passing to the firewall.

 

d. On Premise

 

e. Both

276 Item No. 7.1.1.2.5

 

What is the sizing. Is IPS on the FW acceptable?

IPS on FW is acceptable.
277 Item No. 7.1.1.3.3

 

Sandbox – How many users, what kinds of interfaces, and how much files are needed to be scanned per hour?

Solutions shall be based on the number of agents which is 15,000 for the first three years. Sandbox will be only used when there are anomaly and malicous files detected. Basically it will only scan whats already inside the sandbox. Per hour scanning can be assumed. Sandbox shall have the feature to notify analysts for any detections found.
278 Item No. 7.1.1.3.3.6

 

a. Can we have estimation on amount of samples (files) per day that need to be analyzed?

 

b. What types of ports does the solution need to support (i.e. 1GB copper/fiber, 10G FC, 40G FC, 100G, etc)? How many of each?

 

c. May we request for a Network Topology and Traffic Flow Overview?

a. Systems solution shall be able to scan thousands of files per day and whatever detected must be filtered according to its threat level. End-user specified that Artificial Intelligence and Machine learning shall be able to generate actionable intelligence to the analysts

 

b. Solutions shall be able to scan all ports. Solutions can use any port as long as it is secured and can provide the features stated on TOR and SBB. Internet connection on premise is atleast 200Mbs fiber/leased line. SOC to Agency is 50mbs – 100mbs. Firewall throughput is 20GBPS

 

c. This will vary on what kind of solution the vendor will provide. Design attached to the TOR shall be followed by the vendor.

279 Item No. 8.2 S u b m i s s i o n Requirement

 

Should these documents be provided during the bid?

These should be submitted during the bid opening.
280 D i a g r a m – R o o m Dimension

 

The room dimension states “cm” and unit of measurement. Should it be “mm” instead?

This should be in mm. Please see amended provision

 

 

 

ORIGINAL PROVISION AMENDED PROVISION
SECTION I. INVITATION TO BID
3. Delivery Place and Delivery Period: 3. Delivery Place and Delivery Period:
Delivery Place Delivery Period Delivery Place Delivery Period
Department of Information and Communications Technology (DICT), 49 Don A. Roces Ave, Quezon City Within ten (10) months days from receipt of Notice to Proceed Department of Information and Communications Technology (DICT), 49 Don A. Roces Ave, Quezon City Within three hundred fifteen calendar days from receipt of Notice to Proceed
4. A prospective Bidder should have completed within the last five (5) years from the date of submission and receipt of bids at least one (1) single contract of similar nature amounting to at least fifty percent (50%) of the ABC.

 

For this project, “similar in nature” shall mean “Security Operations Center (SOC)”.

4. A prospective Bidder should have completed within the last five (5) years from the date of submission and receipt of bids at least one (1) single contract of similar nature amounting to at least fifty percent (50%) of the ABC OR at least two (2) contracts of similar nature, the aggregate amount of which should be equivalent to at least fifty (50%) of the ABC, the largest of these contracts must be equivalent to at least twenty-five (25%) of the ABC.

 

For this project, “similar in nature” shall mean “Security Operations Center (SOC)”.

SECTION II. INSTRUCTION TO BIDDERS
2. Documents Comprising the Bid: Financial Component

2.1 Unless otherwise stated in the BDS, the financial component of the bid shall contain the following: xxxx

2.2. (a) Unless otherwise stated in the BDS, all bids that exceed the ABC shall not be accepted.

13. Documents Comprising the Bid: Financial Component

13.1. Unless otherwise stated in the BDS, the financial component of the bid shall contain the following: xxxx

13.2. (a) Unless otherwise stated in the BDS, all bids that exceed the ABC shall not be accepted.

3. Alternative Bids 14. Alternative Bids
4. Bid Prices

4.1. The Bidder shall complete the appropriate Schedule of Prices xxxx

4.2. The Bidder shall fill in rates and prices for all items of the Goods described in the Schedule of Prices. xxxx

4.3. The terms Ex Works (EXW), Cost, Insurance and Freight (CIF), Cost and Insurance Paid to (CIP), Delivered Duty Paid (DDP), and xxx

4.4. Prices indicated on the Price Schedule shall be entered separately in the following manner: xxx

4.5 Prices quoted by the Bidder shall be fixed during the Bidder’s performance of the contract and not subject to variation xxx

15. Bid Prices

15.1. The Bidder shall complete the appropriate Schedule of Prices xxxx

15.2. The Bidder shall fill in rates and prices for all items of the Goods described in the Schedule of Prices. xxxx

15.3. The terms Ex Works (EXW), Cost, Insurance and Freight (CIF), Cost and Insurance Paid to (CIP), Delivered Duty Paid (DDP), and xxx

15.4. Prices indicated on the Price Schedule shall be entered separately in the following manner: xxx

15.5. Prices quoted by the Bidder shall be fixed during the Bidder’s performance of the contract and not subject to variation xxx

5. Bid Currencies

5.1. Prices shall be quoted in the following currencies: xxx

5.2. If so allowed in accordance with ITB Clause 16.1, the Procuring Entity for purposes of bid evaluation xxx

5.3. Unless otherwise specified in the BDS, payment of the contract price shall be made in Philippine Pesos.

16. Bid Currencies

16.1. Prices shall be quoted in the following currencies: xxx

16.2. If so allowed in accordance with ITB Clause 16.1, the Procuring Entity for purposes of bid evaluation xxx

16.3. Unless otherwise specified in the BDS, payment of the contract price shall be made in Philippine Pesos.

6. Bid Validity

6.1. Bids shall remain valid for the period specified in the BDS which shall not xxx

6.2. In exceptional circumstances, prior to the expiration of the bid validity period, xxx

17. Bid Validity

17.1. Bids shall remain valid for the period specified in the BDS which shall not xxx

17.2. In exceptional circumstances, prior to the expiration of the bid validity period, xxx

7. Bid Security

7.1. The bidder shall submit a Bid Securing Declaration or any form of Bid Security xxx

7.2. The bid security should be valid for the period specified in the BDS xxx

7.3. No bid securities shall be returned to Bidders after the opening of bids xxx

7.4. Upon signing and execution of the contract pursuant to xxx

7.5. The bid security may be forfeited: xxx

18. Bid Security

18.1. The bidder shall submit a Bid Securing Declaration or any form of Bid Security xxx

18.2. The bid security should be valid for the period specified in the BDS xxx

18.3. No bid securities shall be returned to Bidders after the opening of bids xxx

18.4. Upon signing and execution of the contract pursuant to xxx

18.5. The bid security may be forfeited: xxx

8. Format and Signing of Bids

8.1. Bidders shall submit their bids through their duly authorized representative xxx

8.2. Forms as mentioned in ITB Clause 19.1 must be completed xxx

8.3. The Bidder shall prepare and submit and original xxx

8.4. Each and every page of the Bid Form, xxx

8.5. Any interlineations, erasures, or overwriting shall be valid xxx

19. Format and Signing of Bids

19.1. Bidders shall submit their bids through their duly authorized representative xxx

19.2. Forms as mentioned in ITB Clause 19.1 must be completed xxx

19.3. The Bidder shall prepare and submit and original xxx

19.4. Each and every page of the Bid Form, xxx

19.5. Any interlineations, erasures, or overwriting shall be valid xxx

9. Sealing and Marking of Bids

9.1. Bidders shall enclose their original eligibility and technical documents xxx

9.2.  Each copy of the first and second envelope xxx

9.3. The original and the number of copies of the Bid xxx

9.4.  All envelopes shall: xxx

9.5. Bid envelopes that are not properly sealed and marked xxx

20. Sealing and Marking of Bids

20.1. Bidders shall enclose their original eligibility and technical documents xxx

20.2.  Each copy of the first and second envelope xxx

20.3. The original and the number of copies of the Bid xxx

20.4.  All envelopes shall: xxx

20.5. Bid envelopes that are not properly sealed and marked xxx

10. Deadline for Submission of Bids 21. Deadline for Submission of Bids
11. Late Bids 22. Late Bids
12. Modification and Withdrawal of Bids

12.1. The Bidder may modify its bid after it has been submitted xxx

12.2. A Bidder may, through a Letter of Withdrawal, xxx

12.3. Bids requested to be withdrawn in accordance with ITB 23.1 xxx

12.4. No bid may be modified after the deadline for submission of bids. xxx

23. Modification and Withdrawal of Bids

23.1. The Bidder may modify its bid after it has been submitted xxx

21.2. A Bidder may, through a Letter of Withdrawal, xxx

23.3. Bids requested to be withdrawn in accordance with ITB 23.1 xxx

23.4. No bid may be modified after the deadline for submission of bids. Xxx

13. Opening and Preliminary Examination of Bids

13.1. The BAC shall open the bids in public, immediately after the deadline for submission and receipt of bids, xxx

13.2. Unless otherwise specified in the BDS, the BAC shall open the first bids envelopes xxx

13.3. Unless otherwise specified in the BDS, immediately after determining compliance with the requirement in the first envelope, xxx

13.4. Letters of Withdrawal shall read out and recorded during bid opening, xxx

13.5. All members of the BAC who are present during the bid opening shall initial every page of the original copies of all bids received and opened.

13.6 In the case of an eligible foreign bidder as described in ITB Clause 5, xxx

13.7. Each partner of a joint venture shall likewise submit the requirements in ITB Clause 12.1(a)(i). xxx

13.8. The Procuring Entity shall prepare the minutes of the proceedings of the bid opening that shall include, xxx

24. Opening and Preliminary Examination of Bids

24.1. The BAC shall open the bids in public, immediately after the deadline for submission and receipt of bids, xxx

24.2. Unless otherwise specified in the BDS, the BAC shall open the first bids envelopes xxx

24.3. Unless otherwise specified in the BDS, immediately after determining compliance with the requirement in the first envelope, xxx

24.4. Letters of Withdrawal shall read out and recorded during bid opening, xxx

24.5. All members of the BAC who are present during the bid opening shall initial every page of the original copies of all bids received and opened.

24.6. In the case of an eligible foreign bidder as described in ITB Clause 5, xxx

24.7. Each partner of a joint venture shall likewise submit the requirements in ITB Clause 12.1(a)(i). xxx

24.8. The Procuring Entity shall prepare the minutes of the proceedings of the bid opening that shall include, xxx

14. Process to be Confidential

14.1. Members of the BAC, including its staff and personnel, as well as its Secretariat and TWG, xxx

14.2. Any effort by a bidder to influence the Procuring Entity’s decision in respect of bid evaluation xxx

25. Process to be Confidential

25.1. Members of the BAC, including its staff and personnel, as well as its Secretariat and TWG, xxx

25.2. Any effort by a bidder to influence the Procuring Entity’s decision in respect of bid evaluation xxx

15. Clarification of Bids 26. Clarification of Bids
16. Domestic Preference

16.1. Unless otherwise stated in the BDS, the Procuring Entity will grand a margin of preference xxx

16.2. A Bidder may be granted preference as a Domestic Bidder subject to the certification from the DTI xxx

27. Domestic Preference

27.1. Unless otherwise stated in the BDS, the Procuring Entity will grand a margin of preference xxx

27.2. A Bidder may be granted preference as a Domestic Bidder subject to the certification from the DTI xxx

17. Detailed Evaluation and Comparison of Bids

17.1. The Procuring Entity will undertake the detailed evaluation and comparison xxx

17.2. The Lowest Calculated Bid shall be determined in two steps: xxx

17.3. The Procuring Entity’s BAC shall immediately conduct a detailed evaluation of all bids rated “passed”, xxx

17.4. Based on the detailed evaluation of bids, those that comply with the above-mentioned requirements shall be ranked xxx

17.5. The Procuring Entity’s evaluation of bids shall be based on the bid price quoted xxx

17.6. Bids shall be evaluated on an equal footing to ensure fair competition. Xxx

17.7. If so indicated pursuant to ITB Clause 1.2, xxx

28. Detailed Evaluation and Comparison of Bids

28.1. The Procuring Entity will undertake the detailed evaluation and comparison xxx

28.2. The Lowest Calculated Bid shall be determined in two steps: xxx

28.3. The Procuring Entity’s BAC shall immediately conduct a detailed evaluation of all bids rated “passed”, xxx

28.4. Based on the detailed evaluation of bids, those that comply with the above-mentioned requirements shall be ranked xxx

28.5. The Procuring Entity’s evaluation of bids shall be based on the bid price quoted xxx

28.6. Bids shall be evaluated on an equal footing to ensure fair competition. Xxx

28.7. If so indicated pursuant to ITB Clause 1.2, xxx

18. Post Qualification

18.1. The BAC shall determine to its satisfaction whether the Bidder that is evaluated xxx

18.2. Within a non-extendible period of five (5) calendar days from receipt xxx

18.3. The determination shall be based upon an examination of the documentary evidence xxx

18.4. If the BAC determines that the Bidder with the Lowest Calculated Bid passes all the criteria xxx

18.5. A negative determination shall result in rejection of the Bidder’s Bid, xxx

18.6. Within a period of not exceeding fifteen (15) calendar days from the determination by the BAC of the LCRB xxx

18.7. In the event of disapproval, which shall be based on valid, reasonable, and justifiable grounds as provided for under Section 41 of the IRR of RA 9184, xxx

29. Post Qualification

29.1. The BAC shall determine to its satisfaction whether the Bidder that is evaluated xxx

29.2. Within a non-extendible period of five (5) calendar days from receipt xxx

29.3. The determination shall be based upon an examination of the documentary evidence xxx

29.4. If the BAC determines that the Bidder with the Lowest Calculated Bid passes all the criteria xxx

29.5. A negative determination shall result in rejection of the Bidder’s Bid, xxx

29.6. Within a period of not exceeding fifteen (15) calendar days from the determination by the BAC of the LCRB xxx

29.7. In the event of disapproval, which shall be based on valid, reasonable, and justifiable grounds as provided for under Section 41 of the IRR of RA 9184, xxx

19. Reservation Clause

19.1. Notwithstanding the eligibility or post-qualification of a Bidder, the Procuring Entity concerned reserves the right to review its qualifications xxx

19.2. Based on the following grounds, the Procuring Entity reserves the right to reject xxx

19.3. In addition, the Procuring Entity may likewise declare of bidding when: xxx

30. Reservation Clause

30.1. Notwithstanding the eligibility or post-qualification of a Bidder, the Procuring Entity concerned reserves the right to review its qualifications xxx

30.2. Based on the following grounds, the Procuring Entity reserves the right to reject xxx

30.3. In addition, the Procuring Entity may likewise declare of bidding when: xxx

20. Contract Award

20.1. Subject to ITB Clause 29, the HoPE or its duly authorized representative shall award xxx

20.2. Prior to the expiration of the period of bid validity, xxx

20.3. Notwithstanding the issuance of the Notice of Award, xxx

20.4. At the time of contract award, the Procuring Entity shall not increase or decrease the quantity xxx

31. Contract Award

31.1. Subject to ITB Clause 29, the HoPE or its duly authorized representative shall award xxx

31.2. Prior to the expiration of the period of bid validity, xxx

31.3. Notwithstanding the issuance of the Notice of Award, xxx

31.4. At the time of contract award, the Procuring Entity shall not increase or decrease the quantity xxx

21. Signing of the Contract

21.1. At the same time as the Procuring Entity notifies the successful Bidder that its bid has been accepted, xxx

21.2. Within ten (10) calendar days from receipt of the Notice of Award, xxx

21.3. The Procuring Entity shall enter into contract with the successful Bidder within the same ten (10) calendar day period xxx

21.4. The following documents shall form part of the contract: xxx

32. Signing of the Contract

32.1. At the same time as the Procuring Entity notifies the successful Bidder that its bid has been accepted, xxx

32.2. Within ten (10) calendar days from receipt of the Notice of Award, xxx

32.3. The Procuring Entity shall enter into contract with the successful Bidder within the same ten (10) calendar day period xxx

32.4. The following documents shall form part of the contract: xxx

22. Performance Security

22.1. To guarantee the faithful performance by the winning Bidder of its obligations under the contract, xxx

22.2. The Performance Security shall be denominated in Philippine Pesos and posted in favor of the Procuring Entity xxx

22.3. Failure of the successful Bidder to comply with the above-mentioned requirement shall constitute sufficient ground for the annulment of the award and forfeiture of the bid security, xxx

33. Performance Security

33.1. To guarantee the faithful performance by the winning Bidder of its obligations under the contract, xxx

33.2. The Performance Security shall be denominated in Philippine Pesos and posted in favor of the Procuring Entity xxx

33.3. Failure of the successful Bidder to comply with the above-mentioned requirement shall constitute sufficient ground for the annulment of the award and forfeiture of the bid security, xxx

23. Notice to Proceed 34. Notice to Proceed
24. Protest Mechanism 35.  Protest Mechanism
SECTION III. BID DATA SHEET
5.4. The Bidder must have completed, within the last five (5) years from the date of submission and receipt of at least one (1) single contract of similar nature amounting to at least fifty percent (50%) of the ABC.

 

For this project, “similar in nature” shall mean “Security Operations Center (SOC)”.

5.4. The Bidder must have completed, within the last five (5) years from the date of submission and receipt of at least one (1) single contract of similar nature amounting to at least fifty percent (50%) of the ABC OR at least two (2) contracts of similar in nature, the aggregate of amount of which should be equivalent to at least fifty percent (50%) of the ABC, the largest of these contracts must be equivalent to at least twenty five percent (25%) of the ABC.

 

For this project, “similar in nature” shall mean “Security Operations Center (SOC)”.

12.(a)(vi) Statement of Completed Single Largest Contract of Similar nature within the last five (5) years from the date of submission and receipt of bids equivalent to at least fifty percent (50%) of the ABC. (Annex I-A)

 

“Similar” contract shall refer to Security Operations Center (SOC).

 

Any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

a.     Copy of End user’s acceptance;

b.     Copy of Official receipt/s; or

c.     Copy of Sales Invoice

 

12.1(a)(vi) Statement of Completed Single Largest Contract of Similar nature within the last five (5) years from the date of submission and receipt of bids equivalent to at least fifty percent (50%) of the ABC or Statement of At Least Two (2) Contracts of Similar Nature within the last five (5) years from the date of submission and receipt of bids, the  aggregate of which should be equivalent to at least fifty percent (50%) of the ABC, and the largest of these similar contracts must be equivalent to at least twenty five percent (25%) of the ABC. (Annex I-A)

 

“Similar” contract shall refer to Security Operations Center (SOC).

 

Any of the following documents must be submitted corresponding to listed contracts per submitted Annex I-A:

d.     Copy of End user’s acceptance;

e.     Copy of Official receipt/s; or

f.      Copy of Sales Invoice

No original provision. 12.1 (a) Eligibility Documents

xxx

Note:

For foreign company, the eligibility requirements may be substituted by the appropriate equivalent documents, if any, issued by the country of the foreign bidder concerned.

The eligibility requirements to be submitted must be in English. If eligibility requirements are in foreign language other than English, it must be accompanied by a translation of the documents in English. The documents shall be translated by the relevant foreign government agency, the foreign government agency authorized to translate documents, or registered translator in the foreign bidder’s country; and shall be authenticated by the appropriate Philippine foreign service establishment/post or the equivalent office having jurisdiction over the foreign  bidder’s affairs in the Philippines.

The equivalent eligibility documents shall be accompanied by a Sworn Statement (Annex A)

12.(a)(vii)(a) Should the bidder opt to submit NFCC, computation must be equal to the ABC of the project. 12.1(a)(vii)(a) Should the bidder opt to submit NFCC, computation must be at least equal to the ABC of the project.
12.(a)(viii) Copy of Protocol / Undertaking of Agreement to Enter into Joint Venture signed by all the potential join venture partners stating that they will enter into and abide by the provisions of the JVA in the instance that the bid is successful. (Annex III)

The JVA or the Protocol/Undertaking of Agreement to Enter into Joint Venture (Annex III) must include/specify the company/partner and the name of the office designated as authorized representative of the Joint Venture.q

12.1.(a)(viii) Copy of Protocol / Undertaking of Agreement to Enter into Joint Venture signed by all the potential joint venture partners stating that they will enter into and abide by the provisions of the JVA in the instance that the bid is successful. (Annex III)

The JVA or the Protocol/Undertaking of Agreement to Enter into Joint Venture (Annex III) must include/specify the company/partner and the name of the office designated as authorized representative of the Joint Venture.

For Joint Venture, the following documents must likewise be submitted by each partner:

Xxx

4. Copy of each of the following Audited Financial Statements for 2016 and 2015 (in comparative form or separate reports): xxx

For Joint Venture, the following documents must likewise be submitted by each partner:

Xxx

4. Copy of each of the following Audited Financial Statements for 2017 and 2016 (in comparative form or separate reports): xxx

12.(b)(vi) Certificate of Performance Evaluation (Annex VII) showing a rating at least Satisfactory issued by the Bidder’s Single Largest Completed Contract Client stated in the submitted Annex I-A; This provision is deleted.
12.(b)(viii) Business Registration Certificate (BRC) with a minimum of five (5) years of experience in the field of intelligence, threat detection and cyber security; 12.1(b)(vii) Business Registration Certificate (BRC) with a minimum of five (5) years of experience in the field of ICT;
12(b)(ix) Valid Certification from at least two (2) of the bidder’s clients to prove that they have performed cyber forensic investigations specifically involving external attackers; 12.1(b)(viii) An affidavit stating that the bidder has performed cyber forensic investigations specifically involving external attackers for at least two (2) clients.
No original provision. 12.1 (b)(ix) Proposed console design which includes detailed dimensions and specifications and materials in 2D such as top-view, cross section and side view
No original provision. 12.1 (b)(x) Proposed console design drawing with ergonomic operator viewing to conform with Ergonomics
No original provision. 12.1 (b)(xi) Proposed design should include 3D rendered drawing
No original provision. 12.1 (b)(xii) Resume or curriculum vitae of the personnel for the following positions and minimum qualifications:
Position Minimum Qualifications
i. Analyst for Tier 1 at least any internationally recognized relevant security certification and has a minimum solid experience of at least three (3) yearsin the field of Information Security
ii. Analyst for Tier 2 at least any internationally recognized relevant security certification and has a minimum solid experience of at least three (3) years in the field of Information Security
iii Analyst for Tier 3 at least any internationally recognized relevant security certification and has a minimum solid experience of at least five (5) years in the field of Information Security
iv. Supervisor solid 5 years experience in SOC operations or equivalent
SECTION V. SPECIAL CONDITIONS OF CONTRACT (SCC)
17.3. Two (2) years after acceptance by the Procuring Entity of the delivered Goods. 17.3. Three (3) years after acceptance by the Procuring Entity of the delivered Goods.
SECTION VI. SCHEDULE OF REQUIREMENTS
Description Delivered, Weeks / Months Description Delivered, Weeks / Months
Hardware/Software Onsite Delivery 1 Month Hardware/Software Onsite Delivery

Note:  This includes the civil works and fit-out in parallel with other deliverables

45 calendar days
Installation and configuration 0.5 Month Installation and configuration 15 calendar days
Testing and Submission of Testing Results & Documentations 0.5 Month Testing and Submission of Testing Results & Documentations 15 calendar days
CMS Network VAPT 0.5 Month CMS Network VAPT 15 calendar days
Hardware/Software Delivery to Priority Agencies 2 Months Hardware/Software Delivery to Priority Agencies 60 calendar days
Installation and Configuration of Hardware/Software to Priority Agencies 2 Months Installation and Configuration of Hardware/Software to Priority Agencies 60 calendar days
Operational Stress Test 0.5 Month Operational Stress Test 15 calendar days
Knowledge Transfer 3 Months Knowledge Transfer 90 calendar days
TOTAL 10 Months TOTAL 315 calendar days
SECTION VII. TECHNICAL SPECIFICATIONS
2.1.3.4. The Vendor shall provide a valid Business Registration Certificate (BRC) with a minimum of 5 years of experience in the field of intelligence, threat detection, and cyber security. 2.1.3.4. The Vendor shall provide a valid Business Registration Certificate (BRC) with a minimum of 5 years of experience in the field ICT.
2.1.3.5 The Vendor shall provide a valid certification from at least two of their clients to prove that they performed cyber forensic investigations specifically involving external attackers. 2.1.3.5 The Vendor shall provide an affidavit stating that they have performed cyber forensic investigations specifically involving external attackers for at least 2 clients.
5. SOC Layout

Measurement: Centimeter (cm)

5. SOC Layout

Measurement: Millimeter (mm)

7.1.1.2.1 Next Generation Firewall (200 Gbps Firewall throughput) 7.1.1.2.1 Next Generation Firewall (20 Gbps Firewall throughput with Application Control, IPS, and Network Anti-virus)
7.1.1.2.2.1.6. The solution shall have on premise protection against volumetric, state-exhaustion and application-layer DDoS attacks. 7.1.1.2.2.1.6. The solution shall have on premise protection against volumetric, state-exhaustion and application-layer DDoS attacks up to 40 Gbps, after which can automatically notify and reroute attack traffic to cloud based scrubbing location.
7.1.1.2.3.5. Detection appliances shall support inline monitoring and blocking VM images for malware detonation shall be upgradable from the Web Management GUI. 7.1.1.2.3.5. VM images for malware detonation shall be upgradable from the Web Management GUI.
7.1.1.3.6.2. The solution shall also be deployed in the SOC’s ten (10) priority agencies. The agencies are DICT, NSC, DND, DFA, PCOO, OP/PMS, DOE, DBM, DOF and NICA. 7.1.1.3.6.2. The solution shall also be deployed in the SOC’s ten (10) priority agencies.
No original provision. 7.1.1.3.6.17 The log collection and correlation for the SIEM shall have a minimum of 5200 events per second.
7.1.1.5.2.9 The entire investigation process, findings and rationale must be documented in a workflow steps format, whether steps were conducted automatically or by human analyst, as to present the analysis carried so far. This provision is deleted.
No original provision. 7.1.1.7.16. The UPS power rating configuration shall be 2N+1 with 10 minutes runtime.
7.1.1.9.1. The solution shall have at least a 3 GHZ+ processor. 7.1.1.9.1. The solution shall be cloud-based.
7.1.1.9.2. The solution shall include at least 32GB RAM and 256 SSD x 3 GB available disk space which increases with VM target on a certain device. 7.1.1.9.2. The software solution should run on an industry standard server and operating system platforms
7.1.1.9.8.4. The solution shall be available in hardware and a virtual appliance version 7.1.1.9.8.4. The solution shall be available in hardware or virtual appliance version
7.1.1.9.8.5. Hardware scanners must have fast disks like SATA and bigger storage like ~ 1TB This provision is deleted.
7.1.1.9.16. The solution shall support up to 15000 endpoints (1500 per agency) 7.1.1.9.16. The solution shall support up to 15000 endpoints for the next three years. (5000 per year, or 500 per agency, per year). The vendor shall provide the main CMS a different set of agents from the 15000 initial agents.
No original provision. 7.1.1.10.2 Server Rack Cabinet

7.1.1.10.2.1 Technical Specifications

7.1.1.10.2.1.1 Six (6) Server Rack Cabinet that will fit the twelve (12) Main Rack Servers of the CMS.

7.1.1.10.2.1.1.1 One (1) Artificial Intelligence and storage of required database, logs, files, etc

7.1.1.10.2.1.1.2 One (1) Machine Learning server and storage of required database, logs, files, etc

7.1.1.10.2.1.1.3 One (1) Case management System server and storage of required database, logs, files, etc

7.1.1.10.2.1.1.4 One (1) Forensic systems investigation and storage of required database, logs, files, etc

7.1.1.10.2.1.1.5 One (1) Systems alerts server, filtered threats feeds and storage of required database, logs, files, etc

7.1.1.10.2.1.1.6 One (1) VAPT server and storage of required database, logs, files, etc

7.1.1.10.2.1.1.7 Two (2) Sandbox servers (1 window and 1 linux) for malware extraction and investigations. Additional Virtual Machines shall be included.

7.1.1.10.2.1.1.8 One (1) Proxy Server and storage of required database, logs, files, etc

7.1.1.10.2.1.1.9 One (1) Internal server for SOC network and storage of required database, logs, files, etc

7.1.1.10.2.1.1.10 One (1) Physical Access and CCTV server and storage of required database, logs, files, etc

7.1.1.10.2.1.1.11 One (1) Monitoring Tools

 

7.1.1.10.3 Rack Servers for Backup (On premise)

7.1.1.10.3.1 Technical Specifications

7.1.1.10.3.1.1 One (1) Artificial Intelligence (Replica of the main server)

7.1.1.10.3.1.2 One (1) Machine Learning (Replica of the main server)

7.1.1.10.3.1.3 One (1) Case management System (Replica of the main server)

7.1.1.10.3.1.4 One (1) Forensic systems investigation Forensic systems investigation and storage of required database, logs, files, etc

7.1.1.10.3.1.5 One (1) Central Backup Rack Server for Multiple storage (On Premise)

7.1.1.10.3.1.5.1 Systems alerts, filtered threats

7.1.1.10.3.1.5.2 All databases

7.1.1.10.3.1.5.3 VAPT databases

7.1.1.10.3.1.5.4 Internal Server access logs

7.1.1.10.3.1.5.5 other systems backup and configuration files

7.1.1.10.3.1.5.6 Agencies logs

7.1.1.10.3.1.5.7 Internal Files

7.1.1.10.3.1.5.8 Portable CMS backup

 

7.1.1.10.4 Server

7.1.1.10.4.1 Processor

7.1.1.10.4.1.1 Latest Xeon Processors

7.1.1.10.4.1.2 Intel® Xeon® processor E7 product family

 

7.1.1.10.4.2 Memory (RAM)

7.1.1.10.4.2. 128 RAM or higher to operate the solution smoothly with free expansion slots

7.1.1.10.4.2.2 Drive Bays / Storage

7.1.1.10.4.2.2.1 256 SSD / 1 Tera SATA, with free expansion slots

 

7.1.1.10.4.3 Operating System

7.1.1.10.4.3.1 Red Hat® Enterprise Linux or any premium Linux distro

 

7.1.1.10.4.4 Chasis Compatible with Rack Cabinet

 

7.1.1.10.4.5 Security Build-in

 

7.1.1.10.4.6 Other Features

7.1.1.10.4.6.1 ECC memory

7.1.1.10.4.6.2 Hot-plug hard drives

7.1.1.10.4.6.3 Hot-plug redundant cooling

7.1.1.10.4.6.4 Hot-plug redundant power

7.1.1.10.4.6.5 Internal Dual SD Module

7.1.1.10.4.6.6 Single Device Data Correction (SDDC)

7.1.1.10.4.6.7 Spare Rank

7.1.1.10.4.6.8 Support for high availability clustering and virtualization

7.1.1.10.4.6.9 Proactive systems management alerts

7.1.1.10.4.6.10 iDRAC8 with Lifecycle Controller

 

7.1.1.10.4.7 Power Specs

7.1.1.10.4.7.1 1100W AC, 86 mm (Platinum) / 1100W DC, 86 mm / 750W AC, 86 mm (Platinum) / 750W AC, 86 mm (Titanium)

7.1.1.10.4.7.5 495W AC, 86 mm (Platinum)

 

7.1.1.10.4.8 RAID Controllers Specs

7.1.1.10.4.8.1 Internal

7.1.1.10.4.8.1.1 PERC S130 (SW RAID)

7.1.1.10.4.8.1.2 PERC H330 / PERC H730 / PERC H730P

7.1.1.10.4.8.2 External

7.1.1.10.4.8.2.1 PERC H830

7.1.1.10.4.8.2.2 External HBAs (non-RAID):12Gbps SAS HBA

7.1.1.10.4.8.2.3 Chipset: Intel C610 series chipset

 

7.1.1.10.4.9 Network Controller: 4 x 1Gb, 2 x 1Gb + 2 x 10Gb, 4 x 10Gb”

No original provision. 7.1.1.10.5 Internet Load Balancer

7.1.1.10.5.1. Can accept at least 3 internet providers and load balance the traffic

7.1.1.10.5.2. It balances both outbound and inbound traffic intelligently

7.1.1.10.5.3. Can handle Internet cable, DSL, fiber, cellular, 3G, and 4G LTE links

7.1.1.10.5.4. Can add priority application and balance traffic among other applications

8.1.1. Two (2) Clusters where each cluster is for 4 SOC operators with 24” Dual LCD monitor. 8.1.1. Two (2) Clusters where each cluster is for 4 SOC operators.
8.1.3.8. Should include aluminum Ergonomic LCD Arm for dual monitor 8.1.3.8. Should include aluminum Ergonomic LCD Arm for the workstations’ monitor
8.13. SOC Desktop Package (9 units) 8.13. SOC Desktop Package (10 units)
No original provision. 8.14. VAPT Computer

8.14.1.Technical Specification

8.14.1.1. 7th Generation Intel® Core™ i7-7700HQ Quad Core (6MB Cache, up to 3.8 GHz)

8.14.1.2. 16 GB RAM

8.14.1.3. 256 SSD + 1 TB HDD

8.14.1.4. 15.6-inch UHD (3840 x 2160) IPS Anti-Glare LED-Backlit Display

8.14.1.5. NVIDIA® GeForce® GTX 1050 Ti with 8GB GDDR5 graphics memory

No original provision. 8.15.Backup VAPT Laptop

8.15.1. Technical Specifications

8.15.1.1. 7th Generation Intel® Core™ i7-7700HQ Quad Core (6MB Cache, up to 3.8 GHz)

8.15.1.2. 16 GB RAM

8.15.1.3. 256 SSD + 1 TB HDD

8.15.1.4. 15.6-inch UHD (3840 x 2160) IPS Anti-Glare LED-Backlit Display

8.15.1.5. NVIDIA® GeForce® GTX 1050 Ti with 8GB GDDR5 graphics memory

9. Training / Knowledge Transfer / Capacity Building

8.14. The vendor shall provide certification operational training xxx

8.15. The SOC Operational Training agenda shall include xxx

8.15.1. The cyber domain threat actors xxx

8.15.2. Solution capabilities xxx

8.15.3. Solution GUI

8.15.4. Using detection engines xxx

8.15.5. Conducting investigation workflow xxx

8.15.6. Using the SOC Platform’s web-tools xxx

8.15.7. Methodology and workflow

8.15.8. Intelligence feeds updates xxx

8.16. The vendor shall provide maintenance training xxx

8.16.1. The SOC Maintenance Training xxx

8.16.1.1 System architecture

8.16.1.2. System flows

8.16.1.3. Frontend subsystem overview

8.16.1.4. Backend subsystem overview

8.16.1.5. Maintenance tools overview

8.17. The vendor shall provide operational training to the Analysts xxx

8.18. Knowledge Transfer -xxx

8.18.1. Equipment Technical Specifications xxx

8.18.2. Basic Appliance and Software Operations xxx

8.18.3. Troubleshooting – xxx

8.18.4. Preventive Maintenance Orientation – xxx

8.18.5.  Support Service Structure – xxx

8.19. At a minimum, the Knowledge Transfer session must xxx

8.19.1. Classroom session – xxx

8.19.2. Solutions Walk-Through -xxx

9. Training / Knowledge Transfer / Capacity Building

9.1. The vendor shall provide certification operational training xxx

9.2. The SOC Operational Training agenda shall include xxx

9.2.1. The cyber domain threat actors xxx

9.2.2. Solution capabilities xxx

9.2.3. Solution GUI

9.2.4. Using detection engines xxx

9.2.5. Conducting investigation workflow xxx

9.2.6. Using the SOC Platform’s web-tools xxx

9.2.7. Methodology and workflow

9.2.8. Intelligence feeds updates xxx

9.3. The vendor shall provide maintenance training xxx

9.3.1. The SOC Maintenance Training xxx

9.3.1.1 System architecture

9.3.1.2. System flows

9.3.1.3. Frontend subsystem overview

9.3.1.4. Backend subsystem overview

9.3.1.5. Maintenance tools overview

9.4. The vendor shall provide operational training to the Analysts xxx

9.5. Knowledge Transfer -xxx

9.5.1. Equipment Technical Specifications xxx

9.5.2. Basic Appliance and Software Operations xxx

9.5.3. Troubleshooting – xxx

9.5.4. Preventive Maintenance Orientation

9.5.5.  Support Service Structure – xxx

9.6. At a minimum, the Knowledge Transfer session must xxx

9.6.1. Classroom session – xxx

9.6.2. Solutions Walk-Through -xxx

9. Operation

10.1. The vendor shall make sure that all access to Analyst computers xxx

9.1.1. The Vendor shall assist DICT in staffing the CMS Team xxx

9.1.2.1. The analyst shall be a Filipino citizen

9.1.2.2. The consultant may either be a Filipino or any citizenship.

9.1.2.3. The analyst must be a holder of at least any internationally recognized relevant security certification and has a minimum solid experience of two (2) years in the field of cybersecurity.

9.1.2.4. The Vendor shall see to it that the SOC Manager shall be xxx

9.1.2.4.1. Assign incidents to analysts

9.1.2.4.2. Manage and monitor the performance of SOC team members

9.1.2.4.3. Track incident handling by KPIx xxx

9.1.2.4.4. Monitor all tasks performed by analyst / senior analyst

9.1.2.5. The vendor shall see to it that the SOC Analyst / Senior analyst xxx

9.1.2.5.1. Review assigned incidents by severity

9.1.2.5.2. Investigate the incident using the following tools:

9.1.2.5.2.1. Network Forensics

9.1.2.5.2.2. Endpoint Forensics

9.1.2.5.2.3. File Analysis

9.1.2.5.2.4. Search Incidents

9.1.2.5.3. Add evidence and observations xxx

9.1.2.5.4. Respond to incidents as follows:

9.1.2.5.5. Update incident status/severity.

9.1.2.5.6. Launch proactive investigations using the solution’s xxx

9.1.2.5.7. Open new incidents based on evidence and xxx

9.1.2.5.8. Set alert action rules to optimize the xxx

10. Operation

10.1. The vendor shall make sure that all access to Analyst computers xxx

10.1.1. The Vendor shall assist DICT in staffing the CMS Team xxx

10.1.2.1. The analyst shall be a Filipino citizen

10.1.2.2. The consultant may either be a Filipino or any citizenship.

10.1.2.3. The analyst must be a holder of at least any internationally recognized relevant security certification and has a minimum solid experience of at least three (3) years for Tier1 and Tier2, and five (5) years for tier 3 Analyst in the field of Information Security. The supervisor must have a solid 5 years experience in SOC operations or equivalent.

10.1.2.3.1. The vendor shall provide the resume/curriculum vitae of the personnel for each position

10.1.2.4. The Vendor shall see to it that the SOC Manager shall be xxx

10.1.2.4.1. Assign incidents to analysts

10.1.2.4.2. Manage and monitor the performance of SOC team members

10.1.2.4.3. Track incident handling by KPIx xxx

10.1.2.4.4. Monitor all tasks performed by analyst / senior analyst

10.1.2.5. The vendor shall see to it that the SOC Analyst / Senior analyst xxx

10.1.2.5.1. Review assigned incidents by severity

10.1.2.5.2. Investigate the incident using the following tools:

10.1.2.5.2.1. Network Forensics

10.1.2.5.2.2. Endpoint Forensics

10.1.2.5.2.3. File Analysis

10.1.2.5.2.4. Search Incidents

10.1.2.5.3. Add evidence and observations xxx

10.1.2.5.4. Respond to incidents as follows:

10.1.2.5.5. Update incident status/severity.

10.1.2.5.6. Launch proactive investigations using the solution’s xxx

10.1.2.5.7. Open new incidents based on evidence and xxx

8.14.1.7.      10.1.2.5.8. Set alert action rules to optimize the xxx

10. Warranty

10.1. The vendor shall replace defective items to the end-user within xxx

10.2. Warranty issued in each component in the core shall be valid for twenty-four (24) months.

11. Warranty

11.1. The vendor shall replace defective items to the end-user within xxx

11.2. Warranty issued in each component in the core shall be valid for three (3) years.

11. Escalation

11.1. The vendor shall provide technical support xxx

11.2. The vendor shall provide the following support to CMS:

11.2.1. Hardware/Software Support

11.2.1.1. Replacement of the hardware and software support xxx

11.2.2. Scope of Responsibility – xxx

11.2.2.1. Troubleshooting and configuration on-site

11.2.2.2. Replace defective equipment and configure it

11.2.2.3. Update firmware as necessary

12. Escalation

12.1. The vendor shall provide technical support xxx

12.2. The vendor shall provide the following support to CMS:

12.2.1. Hardware/Software Support

12.2.1.1. Replacement of the hardware and software support xxx

12.2.2. Scope of Responsibility – xxx

12.2.2.1. Troubleshooting and configuration on-site

12.2.2.2. Replace defective equipment and configure it

12.2.2.3. Update firmware as necessary

12. Licenses and Support

12.1. All software in the above mentioned shall have xxx

12.2. Support and maintenance to the core and deployed tools xxx

13. Licenses and Support

13.1. All software in the above mentioned shall have xxx

13.2. Support and maintenance to the core and deployed tools xxx

13. Compatibility and Interoperability with Open System Platform

xxx

14. Compatibility and Interoperability with Open System Platform

xxx

14. Penalty Clause

xxx

15. Penalty Clause

xxx

15. Payment Terms 16. Payment Terms
Milestones Progress Milestones Progress
Upon onsite delivery of all Hardware/Software 10% Upon onsite delivery of all Hardware/Software 35%
Upon completion of installation and configurations 10% Upon completion of installation and configurations 10%
Upon completion of agreed Testing 10% Upon completion of agreed Testing 5%
Upon execution of VAPT to the Cybersecurity Management System’s Network 5% Upon execution of VAPT to the Cybersecurity Management System’s Network 5%
Completion of Testing to the Cybersecurity Management System’s Network 20% Completion of Testing to the Cybersecurity Management System’s Network 5%
Upon Installation and Configuration of Hardware/Software to the Priority Agencies 10% Upon Installation and Configuration of Hardware/Software to the Priority Agencies 20%
Upon completion of operational stress test to the Cybersecurity Management System and Priority Agencies Network 15% Upon completion of operational stress test to the Cybersecurity Management System and Priority Agencies Network 10%
Upon completion of Knowledge Transfers and submission of As – Built Plans, Operations & Maintenance Manuals, Warranty completion of Training Sessions 20% Upon completion of Knowledge Transfers and submission of Agentss – Built Plans, Operations & Maintenance Manuals, Warranty completion of Training Sessions 5%
Total 100% Total 100%
16. Timelines for Implementation of the Project

 

As stated in this document, the projected implementation duration is maximum of 10 months from date of award. Vendor proposed implementation schedule must not exceed 10 months. Such projections are based on the following Work Breakdown

17. Timelines for Implementation of the Project

 

As stated in this document, the projected implementation duration is maximum of 315 calendar days from date of award. Vendor proposed implementation schedule must not exceed 315 calendar days. Such projections are based on the following Work Breakdown

Description Duration Description Duration
Hardware/Software Onsite Delivery 1 Month Hardware/Software Onsite Delivery

Note:  This includes the civil works and fit-out in parallel with other deliverables

45 calendar days
Installation and configuration 0.5 Month Installation and configuration 15 calendar days
Testing and Submission of Testing Results & Documentations 0.5 Month Testing and Submission of Testing Results & Documentations 15 calendar days
CMS Network VAPT 0.5 Month CMS Network VAPT 15 calendar days
Hardware/Software Delivery to Priority Agencies 2 Months Hardware/Software Delivery to Priority Agencies 60 calendar days
Installation and Configuration of Hardware/Software to Priority Agencies 2 Months Installation and Configuration of Hardware/Software to Priority Agencies 60 calendar days
Operational Stress Test 0.5 Month Operational Stress Test 15 calendar days
Knowledge Transfer 3 Months Knowledge Transfer 90 calendar days
TOTAL 10 Months TOTAL 315 calendar days
17. Service Level Agreement 18. Service Level Agreement

 

All terms, conditions and instructions to bidders specified in the Bidding Documents inconsistent with this Bid Bulletin are hereby superseded and modified accordingly.

 

Attached in this Supplemental Bid Bulletin are the following references:

  • Schematic Diagram
  • Revised SOC Floorplan as of 31 July 2018
  • Network Infrastructure
  • Electrical Layout
  • Structured Cabling

 

Further, please use the following forms attached in this Supplemental Bid Bulletin:

  • Revised Schedule of Requirements as of 31 July 2018
  • Revised Technical Specifications as of 31 July 2018
  • Sworn Statement as of 31 July 2018
  • Revised Statement of Completed Single Largest Contract of Similar nature within the last five (5) years from the date of submission and receipt of bids equivalent to at least fifty percent (50%) of the ABC or Statement of At Least Two (2) Contracts of Similar Nature within the last five (5) years from the date of submission and receipt of bids, the aggregate of which should be equivalent to at least fifty percent (50%) of the ABC, and the largest of these similar contracts must be equivalent to at least twenty five percent (25%) of the ABC as of 31 July 2018
  • Revised Omnibus Sworn Statements as of 31 July 2018
  • Revised Technical Bid Form as of 31 July 2018
  • Revised Financial Bid Form as of 31 July 2018
  • Revised Detailed Financial Breakdown as of 31 July 2018
  • Revised For Goods Offered From Abroad as of 31 July 2018
  • Revised For Goods Offered from Within the Philippines as of 31 July 2018

 

 

For information and guidance of all concerned.For a full copy of the document, click the link below:

Supplemental Bid Bulletin No. 4-SUPPLY, INSTALLATION AND DELIVERY OF CYBERSECURITY MANAGEMENT SYSTEM PROJECT

Issued this 31st day of July 2018.

 

 

(Original Signed)

JIEZL GABRILLE G. REOTUTAR

Vice Chairperson, BAC4G&S