Savings for the Nation Government e-Market Place II Pre-Procurement Market Engagement Nick Morris; August 2012 1.

Savings for the Nation

Government e-Market Place IIPre-Procurement Market Engagement

Nick Morris; August 2012

1


Agenda

• Introductions

• Government Procurement e-Enablement and e-Commerce

• Government e-Market Place Background

• Procurement Overview

• Proposed Timescale

• Proposed Statement of Requirements

• Security Requirements

• Next Steps

11/04/23 2

1. To support the definition of category strategies, the sourcing, procurement and the management of contracts & suppliers through appropriate use of technology, maximising the use of existing investment in departments whilst ensuring there is full coverage of technical support across the whole of Government Procurement;

2. Consider the integration of multiple existing e-Sourcing solutions for centralised procurement;

3. The management of technology to promote accessibility of central deals by customers across the whole of the public sector and facilitation of the reporting and analysis of procurement expenditure, contract and supplier performance across all Central Government users.

eEnablement Strategic Goals

11/04/23 3


• Large bullet points should be set in 18pt Arial






11/04/23 4

Users

Suppliers

10

The GovernmentProcurement

Portal Catalogues

PROTECT - IL1

GovernmentProcurement PortalCabinet Office

Corporate Website

Secure access management

Category Specific Tools

eMarketplace

eSourcing Tool

Spend Analysis

Contract Finder Solution

Dynamic Marketplace

Cognos Data Warehouse

Technical Architecture

11/04/23 5

Single Web Portal designed and hosted in partnership with DirectGov

ERPP2P

ERP hosted by CG Depts

Non ERP use PS Otis accessed via Website

Specific Category ToolsPunch Out \ Integration with Supplier

Sites eg Hotels, Fleet, Appstore

eMarketplace Catalogues for common goods

eSourcing ToolComplex RFQ/RFP, Auctions, SRM

& contract management

Users

Suppliers

Spend AnalysisSpend by Suppliers & agreed

Category schematic

Contract Finder SolutionOpportunities,

Contract award information

‘PSPES’

Replacement

Solution

Dynamic Marketplace eRFQSME Registration and Quotation

for sub EU tenders (services)10

The GovernmentProcurement

Portal Catalogues

PROTECT - IL1

The Government Open Procurement Portal

ERPAP

Enabling Technologies Target GPS Architecture

GPS Spend Analysis**

For customer and supplier communications

GPS eSourcing**

Dept eSourcing tools

Dept ERP / APGPS eMarketplace*

Dynamic eMarketplace*

Category Specific Tools

GPS Procurement Portal**

GPS Procurementand Spend Reports and Dashboards

Central Application

Data Flow

Order details

Invoice details

Contract details

Supplier Management

Contract ManagementSourcing

Linked Application

For Central Contracts For Total Spend

6

For non-spend related analysis

GPS Reporting

Tool**

For opportunity and contract

award publication

Contracts Finder*

RFx andContract

data

Cleansed SpendData

Cataloguedetails

Enabling Technologies Target GPS Architecture

*Live** Being Implemented

Government e-Market Place Background

• Where Have We Come From• Zanzibar Framework agreement • Let August 2005• Managed by OGC Buying Solutions• DWP Usage • ERP Implementation• Legacy Catalogue Hosting

• Current Position• Catalogue • Non-Catalogue E-RFQ

• Future Direction • Ge-M II



Completed • Consultation with other Government Departments and Wider Public

Sector organisations including cross-Government senior stakeholders; minimum requirements identified and agreed by ESAB.

• PIN notice issued 22Nd June 2012

• Strategy developed and incorporated into a business case

• Consultation with GP IAO

• Pre-procurement market engagment event 1st August 2012

11/04/23 8

Procurement Overview


Moving Forward – Provisional Timescales• Review supplier feedback – by 6th August • Stakeholder engagment & requirements gathering exercise – w/c 13th

August • Draft OJEU and issue – September 2012• Tender Issue date - Late September / October 2012• ITT return – 5th November 2012• Evaluation period – 12th November – 10th December 2012• Mandatory standstill start date w/c 17th December 2012• Contract award – end of January 2013

11/04/23 9

Proposed Timescales


Minimum Statement of Requirements

11/04/23 10

Government e-Market Place II


Mandatory Services Content Management system – UNSPSC data mapping; catalogue

workflows; rich data content with live links to supplier data

Hosted Catalogue Management Services – catalogue search and compare; permission views local/global; supplier registration workflow [self service]; bulk upload / supplier adoption; DUNS

Purchase to Payment lite – integrated / non integrated end user; backward compatible IE6; integration to other e-systems; end user support; MI tool and standard reporting; spend analysis and SUM reporting

11/04/23 11



Mandatory Security Requirements

Systems and accreditation IL 1; 3 and 4GSi HubCJX HubN3 HubNHS supply chain secureXML FirewallSecurity cleared personnel

11/04/23 12



Dynamic RFQ functionality

Non-complex ; low risk; sub-OJEU requirements

quick turn around

secure

GP central category strategies

Public Sector opportunities for SME

11/04/23 13



Commercial model

Modularised delivery

Cost effective

End user selection of component parts to fit requirements

VfM

Sector Wide

11/04/23 14



11/04/23 15

Com

mer

cial

mod

el

Mod

ular

ised

del

iver

yCo

st e

ffecti

ve

End

user

sel

ectio

n of

com

pone

nt p

arts

to fi

t req

uire

men

tsVf

M

Sect

or w

ide


Information Assurance & RMADS Accreditation

Amanda Squire, August 2012

11/04/23 16

Security Policy FrameworkCabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/

MR 8

All ICT systems that handle, store and process protectively marked information

or business critical data, or that are interconnected to cross-government

networks or services (e.g. The Government Secure Intranet, GSI), must

undergo a formal risk assessment to identify and understand relevant

technical risks; and must undergo a proportionate accreditation process to

ensure that the risks to the confidentiality, integrity and availability of the

data, system and/or service are properly managed.

11/04/23 17

11/04/23 18

Security Policy FrameworkCabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/

MR 9

Departments and Agencies must put in place an appropriate range of

technical controls for all ICT systems, proportionate to the value,

importance and sensitivity of the information held and the requirements

of any interconnected systems.

11/04/23 18

HMG Information Assurance StandardsCESG Information Assurance Policy Portfolio www.cesg.gov.uk

• IS1&2 – Information Risk Assessment

• IS4 – Management of Cryptographic Systems

• IS5 – Secure Sanitisation

• IS6 – Protecting Personal Data & Managing

Information Risk

• IS7 – Authentication of Internal Users of ICT

Systems Handling Government Information

11/04/23 19

Only IS1 Technical Risk Assessment, Business Impact Levels & the IS1 Risk Tool are available on the public website at this time.

http://www.cesg.gov.uk/

11/04/23 20

CESG Technical GuidanceCESG Information Assurance Policy Portfolio www.cesg.gov.uk

• GPGs – Good Practice Guides

• Cryptographic Standards

• Developers’ Notes

• Implementation Guides

• Architectural Patterns

• CESG Security Procedures

• Technical Threat Briefings

• CESG IA Notices

On Contract Award, IT Security Managers should contact [email protected] quoting Government Procurement Service as the sponsoring organisation

http://www.cesg.gov.uk/

mailto:[email protected]

HMG Information Assurance StandardsIS1 & 2 – Information Risk AssessmentRisk Management Requirement 8

Departments & Agencies must assess the technical risks to the Confidentiality,

Integrity and Availability of their ICT systems or services. A technical risk

assessment must be conducted at the start of all HMG ICT projects or

programmes, and must be refined to reflect any change. The findings of all

technical risk assessment must be reviewed at least annually to identify any

changes to threat, vulnerability or impact.

Supports MR 8 of the SPF

11/04/23 21

11/04/23 22

HMG Information Assurance StandardsIS1 & 2 – Information Risk Assessment

Risk Management Requirement 13

The findings of the technical risk assessment must inform and substantiate the

selection, and implementation approach of the controls used to treat the

identified technical risks. The approach to selection and implementation must

be endorsed by the Accreditor or their delegated authority.


11/04/23 23



The risk treatment plan must include as a minimum the mandatory protective

controls from the SPF, HMG IA Standards and other relevant Tier 4 policy

documents.


11/04/23 24



By default every HMG Information system or service with a Business Impact Level

(IL) of 3 or above for either: Confidentiality, Integrity or Availability, must

implement the full set of controls as defined in the Baseline Control Set of the

supplement to this standard.

11/04/23 25

Baseline Control Set

IS1-2 Supplement, Appendix A

• Aligned to ISO27001 Control References 5 to 15

• DETER level guidance for IL2/3

• Suitable to treat all risks up to and including Medium

• Risks identified as Medium-High or High must have additional mitigation in place

11/04/23 26

RMADs AccreditationRisk Management & Accreditation Document Set

• The confidence that the risks to information systems are being properly managed is known as Information Assurance (IA), and the formal assessment of an information system against its IA requirements is known as accreditation.

• All ICT systems or services that process, handle or store protectively marked or personal [or sensitive] Government information must be accredited using IAS 1-2 and reviewed annually. (eg >= IL 2)

• Accreditation is the business process for managing information risk of ICT systems and services

11/04/23 27

RMADs AccreditationAccreditation Stages

• The accreditation process must start as early as possible.

• Initial requirements identified at Stage 0.

• Preliminary process started by Stage 1

• Process starts around Stage 3.

• Accreditation approval Stage 4.

• Accreditation maintenance – Situation Awareness Stage 5

• End of life – Decommissioning Stage 6

11/04/23 28

RMADs AccreditationAccreditation Stages

1. Project Initiation – meet SRO/PM; agree Risk Owner (SIRO); set C, I and A business impact levels; agree risk tolerance based on Government Procurement Service risk appetite.

2. Set up IA management team – agree accreditation plan.3. Draft RMADS and initial IAS1 risk assessment – approved by

Accreditor.4. Technical Security Architecture defined – approved by Accreditor and/or

CESG Design Review.5. System built.6. Physical, procedural, personnel and technical (P3T) inspections

including ITHC – consolidated risk register7. User Acceptance Testing8. SIRO acceptance of residual risk and RMADs accreditation sign off.9. Annual security review (including ITHC) and re-accreditation10.Decommission

Approaches to the risk management and accreditation of interconnections will vary depending on complexity, however in all cases need a formal agreement on the interconnection is required.Approaches may include:

• A Code of Connection (CoCo, eg PSN) for a single point to point connection;• A Community Security Policy (CSP) defining the mandatory security requirements for connection to a community of interconnected systems or services;• Shared service agreements – develop trust between shared IA managers;

The Accreditation approach for the required interconnections will be agreed following contract award when the proposed solution is known.

11/04/23 29

RMADs AccreditationInterconnections – PSN, CJX, N3

11/04/23 30

RMADs AccreditationOutsourcing & Offshoring

• Host environments, data centres and other ICT services supplied by third parties/sub-contractors may also require accreditation.

• GPG6 – Outsourcing & Offshoring: Managing the Security Risks

• Supplementary controls for systems in addition to those in ISO27001

• A detailed risk assessment must be performed prior to transitioning service delivery to an external third party

• The service provider is required to operate the contract in accordance with UK law, the SPF and all associated standards and guidance

11/04/23 31

RMADs AccreditationOverview of Contents

11/04/23 32

RMADs AccreditationOverview of Contents - continued

11/04/23 33

RMADs Accreditation

• For specific technical and functional requirements please contact the Government eMarketplace II procurement team

• Successful bidders are strongly advised to engage a CLAS (CESG Listed) Consultant on Contract Award to assist with the RMADs process


Next Steps

High Level Specification available online – W/C 13th August 2012http://gps.cabinetoffice.gov.uk/i-am-supplier/supplier-industry-daysAny questions or queries prior to issue of OJEU email them [email protected]

11/04/23 34

Savings for the Nation Government e-Market Place II Pre-Procurement Market Engagement Nick Morris; August 2012 1.

Documents

nation slide

procurement overview

contract data

supplier data

government departments

centralised procurement

central government users

data catalogue details