Post on 01-Apr-2015
transcript
Savings for the Nation
Government e-Market Place IIPre-Procurement Market Engagement
Nick Morris; August 2012
1
Savings for the Nation
Agenda
• Introductions
• Government Procurement e-Enablement and e-Commerce
• Government e-Market Place Background
• Procurement Overview
• Proposed Timescale
• Proposed Statement of Requirements
• Security Requirements
• Next Steps
11/04/23 2
1. To support the definition of category strategies, the sourcing, procurement and the management of contracts & suppliers through appropriate use of technology, maximising the use of existing investment in departments whilst ensuring there is full coverage of technical support across the whole of Government Procurement;
2. Consider the integration of multiple existing e-Sourcing solutions for centralised procurement;
3. The management of technology to promote accessibility of central deals by customers across the whole of the public sector and facilitation of the reporting and analysis of procurement expenditure, contract and supplier performance across all Central Government users.
eEnablement Strategic Goals
11/04/23 3
Savings for the Nation
• Large bullet points should be set in 18pt Arial
• Large bullet points should be set in 18pt Arial
• Large bullet points should be set in 18pt Arial
• Large bullet points should be set in 18pt Arial
• Large bullet points should be set in 18pt Arial
• Large bullet points should be set in 18pt Arial
11/04/23 4
Users
Suppliers
10
The GovernmentProcurement
Portal Catalogues
PROTECT - IL1
GovernmentProcurement PortalCabinet Office
Corporate Website
Secure access management
Category Specific Tools
eMarketplace
eSourcing Tool
Spend Analysis
Contract Finder Solution
Dynamic Marketplace
Cognos Data Warehouse
Technical Architecture
11/04/23 5
Single Web Portal designed and hosted in partnership with DirectGov
ERPP2P
ERP hosted by CG Depts
Non ERP use PS Otis accessed via Website
Specific Category ToolsPunch Out \ Integration with Supplier
Sites eg Hotels, Fleet, Appstore
eMarketplace Catalogues for common goods
eSourcing ToolComplex RFQ/RFP, Auctions, SRM
& contract management
Users
Suppliers
Spend AnalysisSpend by Suppliers & agreed
Category schematic
Contract Finder SolutionOpportunities,
Contract award information
‘PSPES’
Replacement
Solution
Dynamic Marketplace eRFQSME Registration and Quotation
for sub EU tenders (services)10
The GovernmentProcurement
Portal Catalogues
PROTECT - IL1
The Government Open Procurement Portal
ERPAP
Enabling Technologies Target GPS Architecture
GPS Spend Analysis**
For customer and supplier communications
GPS eSourcing**
Dept eSourcing tools
Dept ERP / APGPS eMarketplace*
Dynamic eMarketplace*
Category Specific Tools
GPS Procurement Portal**
GPS Procurementand Spend Reports and Dashboards
Central Application
Data Flow
Order details
Invoice details
Contract details
Supplier Management
Contract ManagementSourcing
Linked Application
For Central Contracts For Total Spend
6
For non-spend related analysis
GPS Reporting
Tool**
For opportunity and contract
award publication
Contracts Finder*
RFx andContract
data
Cleansed SpendData
Cataloguedetails
Enabling Technologies Target GPS Architecture
*Live** Being Implemented
Government e-Market Place Background
• Where Have We Come From• Zanzibar Framework agreement • Let August 2005• Managed by OGC Buying Solutions• DWP Usage • ERP Implementation• Legacy Catalogue Hosting
• Current Position• Catalogue • Non-Catalogue E-RFQ
• Future Direction • Ge-M II
Savings for the Nation
Savings for the Nation
Completed • Consultation with other Government Departments and Wider Public
Sector organisations including cross-Government senior stakeholders; minimum requirements identified and agreed by ESAB.
• PIN notice issued 22Nd June 2012
• Strategy developed and incorporated into a business case
• Consultation with GP IAO
• Pre-procurement market engagment event 1st August 2012
11/04/23 8
Procurement Overview
Savings for the Nation
Moving Forward – Provisional Timescales• Review supplier feedback – by 6th August • Stakeholder engagment & requirements gathering exercise – w/c 13th
August • Draft OJEU and issue – September 2012• Tender Issue date - Late September / October 2012• ITT return – 5th November 2012• Evaluation period – 12th November – 10th December 2012• Mandatory standstill start date w/c 17th December 2012• Contract award – end of January 2013
11/04/23 9
Proposed Timescales
Savings for the Nation
Minimum Statement of Requirements
11/04/23 10
Government e-Market Place II
Savings for the Nation
Mandatory Services Content Management system – UNSPSC data mapping; catalogue
workflows; rich data content with live links to supplier data
Hosted Catalogue Management Services – catalogue search and compare; permission views local/global; supplier registration workflow [self service]; bulk upload / supplier adoption; DUNS
Purchase to Payment lite – integrated / non integrated end user; backward compatible IE6; integration to other e-systems; end user support; MI tool and standard reporting; spend analysis and SUM reporting
11/04/23 11
Government e-Market Place II
Savings for the Nation
Mandatory Security Requirements
Systems and accreditation IL 1; 3 and 4GSi HubCJX HubN3 HubNHS supply chain secureXML FirewallSecurity cleared personnel
11/04/23 12
Government e-Market Place II
Savings for the Nation
Dynamic RFQ functionality
Non-complex ; low risk; sub-OJEU requirements
quick turn around
secure
GP central category strategies
Public Sector opportunities for SME
11/04/23 13
Government e-Market Place II
Savings for the Nation
Commercial model
Modularised delivery
Cost effective
End user selection of component parts to fit requirements
VfM
Sector Wide
11/04/23 14
Government e-Market Place II
Savings for the Nation
11/04/23 15
Com
mer
cial
mod
el
Mod
ular
ised
del
iver
yCo
st e
ffecti
ve
End
user
sel
ectio
n of
com
pone
nt p
arts
to fi
t req
uire
men
tsVf
M
Sect
or w
ide
Savings for the Nation
Information Assurance & RMADS Accreditation
Amanda Squire, August 2012
11/04/23 16
Security Policy FrameworkCabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/
MR 8
All ICT systems that handle, store and process protectively marked information
or business critical data, or that are interconnected to cross-government
networks or services (e.g. The Government Secure Intranet, GSI), must
undergo a formal risk assessment to identify and understand relevant
technical risks; and must undergo a proportionate accreditation process to
ensure that the risks to the confidentiality, integrity and availability of the
data, system and/or service are properly managed.
11/04/23 17
11/04/23 18
Security Policy FrameworkCabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/
MR 9
Departments and Agencies must put in place an appropriate range of
technical controls for all ICT systems, proportionate to the value,
importance and sensitivity of the information held and the requirements
of any interconnected systems.
11/04/23 18
HMG Information Assurance StandardsCESG Information Assurance Policy Portfolio www.cesg.gov.uk
• IS1&2 – Information Risk Assessment
• IS4 – Management of Cryptographic Systems
• IS5 – Secure Sanitisation
• IS6 – Protecting Personal Data & Managing
Information Risk
• IS7 – Authentication of Internal Users of ICT
Systems Handling Government Information
11/04/23 19
Only IS1 Technical Risk Assessment, Business Impact Levels & the IS1 Risk Tool are available on the public website at this time.
11/04/23 20
CESG Technical GuidanceCESG Information Assurance Policy Portfolio www.cesg.gov.uk
• GPGs – Good Practice Guides
• Cryptographic Standards
• Developers’ Notes
• Implementation Guides
• Architectural Patterns
• CESG Security Procedures
• Technical Threat Briefings
• CESG IA Notices
On Contract Award, IT Security Managers should contact enquiries@cesg.gsi.gov.uk quoting Government Procurement Service as the sponsoring organisation
HMG Information Assurance StandardsIS1 & 2 – Information Risk AssessmentRisk Management Requirement 8
Departments & Agencies must assess the technical risks to the Confidentiality,
Integrity and Availability of their ICT systems or services. A technical risk
assessment must be conducted at the start of all HMG ICT projects or
programmes, and must be refined to reflect any change. The findings of all
technical risk assessment must be reviewed at least annually to identify any
changes to threat, vulnerability or impact.
Supports MR 8 of the SPF
11/04/23 21
11/04/23 22
HMG Information Assurance StandardsIS1 & 2 – Information Risk Assessment
Risk Management Requirement 13
The findings of the technical risk assessment must inform and substantiate the
selection, and implementation approach of the controls used to treat the
identified technical risks. The approach to selection and implementation must
be endorsed by the Accreditor or their delegated authority.
Supports MR 9 of the SPF
11/04/23 23
HMG Information Assurance StandardsIS1 & 2 – Information Risk Assessment
Risk Management Requirement 14
The risk treatment plan must include as a minimum the mandatory protective
controls from the SPF, HMG IA Standards and other relevant Tier 4 policy
documents.
Supports MR 9 of the SPF
11/04/23 24
HMG Information Assurance StandardsIS1 & 2 – Information Risk Assessment
Risk Management Requirement 15
By default every HMG Information system or service with a Business Impact Level
(IL) of 3 or above for either: Confidentiality, Integrity or Availability, must
implement the full set of controls as defined in the Baseline Control Set of the
supplement to this standard.
11/04/23 25
Baseline Control Set
IS1-2 Supplement, Appendix A
• Aligned to ISO27001 Control References 5 to 15
• DETER level guidance for IL2/3
• Suitable to treat all risks up to and including Medium
• Risks identified as Medium-High or High must have additional mitigation in place
11/04/23 26
RMADs AccreditationRisk Management & Accreditation Document Set
• The confidence that the risks to information systems are being properly managed is known as Information Assurance (IA), and the formal assessment of an information system against its IA requirements is known as accreditation.
• All ICT systems or services that process, handle or store protectively marked or personal [or sensitive] Government information must be accredited using IAS 1-2 and reviewed annually. (eg >= IL 2)
• Accreditation is the business process for managing information risk of ICT systems and services
11/04/23 27
RMADs AccreditationAccreditation Stages
• The accreditation process must start as early as possible.
• Initial requirements identified at Stage 0.
• Preliminary process started by Stage 1
• Process starts around Stage 3.
• Accreditation approval Stage 4.
• Accreditation maintenance – Situation Awareness Stage 5
• End of life – Decommissioning Stage 6
11/04/23 28
RMADs AccreditationAccreditation Stages
1. Project Initiation – meet SRO/PM; agree Risk Owner (SIRO); set C, I and A business impact levels; agree risk tolerance based on Government Procurement Service risk appetite.
2. Set up IA management team – agree accreditation plan.3. Draft RMADS and initial IAS1 risk assessment – approved by
Accreditor.4. Technical Security Architecture defined – approved by Accreditor and/or
CESG Design Review.5. System built.6. Physical, procedural, personnel and technical (P3T) inspections
including ITHC – consolidated risk register7. User Acceptance Testing8. SIRO acceptance of residual risk and RMADs accreditation sign off.9. Annual security review (including ITHC) and re-accreditation10.Decommission
Approaches to the risk management and accreditation of interconnections will vary depending on complexity, however in all cases need a formal agreement on the interconnection is required.Approaches may include:
• A Code of Connection (CoCo, eg PSN) for a single point to point connection;• A Community Security Policy (CSP) defining the mandatory security requirements for connection to a community of interconnected systems or services;• Shared service agreements – develop trust between shared IA managers;
The Accreditation approach for the required interconnections will be agreed following contract award when the proposed solution is known.
11/04/23 29
RMADs AccreditationInterconnections – PSN, CJX, N3
11/04/23 30
RMADs AccreditationOutsourcing & Offshoring
• Host environments, data centres and other ICT services supplied by third parties/sub-contractors may also require accreditation.
• GPG6 – Outsourcing & Offshoring: Managing the Security Risks
• Supplementary controls for systems in addition to those in ISO27001
• A detailed risk assessment must be performed prior to transitioning service delivery to an external third party
• The service provider is required to operate the contract in accordance with UK law, the SPF and all associated standards and guidance
11/04/23 31
RMADs AccreditationOverview of Contents
11/04/23 32
RMADs AccreditationOverview of Contents - continued
11/04/23 33
RMADs Accreditation
• For specific technical and functional requirements please contact the Government eMarketplace II procurement team
• Successful bidders are strongly advised to engage a CLAS (CESG Listed) Consultant on Contract Award to assist with the RMADs process
Savings for the Nation
Next Steps
High Level Specification available online – W/C 13th August 2012http://gps.cabinetoffice.gov.uk/i-am-supplier/supplier-industry-daysAny questions or queries prior to issue of OJEU email them toGe-M-II@gps.gsi.gov.uk
11/04/23 34