MINUTES OF MEETING OF PRE-BID MEETING HELD ON 05 JUL 17 ... · (q) M/s Futuresoft Solutions Pvt Ltd (r) M/s MROTEK (s) M/s E-Mudhra Ltd (t) M/s Source Dot Com Pvt Ltd (u) M/s PC Solutions

1

MINUTES OF MEETING OF PRE-BID MEETING HELD ON 05 JUL 17 PROCUREMENT AND SETTING UP OF PUBLIC KEY INFRASTRUCTURE (PKI) -

INDIAN NAVY

1. The Pre-bid meeting for the instant case was chaired by Cmde Sameer Agarwal, Addl PDIT, was held at NHQ Conference Hall, Sena Bhawan at 1500 hrs on 05 Jul 17. Cdr Piyush Baranwal, JDIT were also present in addition.

2. Reps from following firms had attended the meeting:-

(a) M/s Amtrak Systems Pvt. Ltd (b) M/s C-DAC (c) M/s Deloitte India Pvt. Ltd (d) M/s Entrust Datacard Pvt Ltd (e) M/s Gemalto Pvt. Ltd.M/s I-Value Pvt. Ltd (f) M/s I-Value Pvt. Ltd (g) M/s Tech Mahindra Pvt. Ltd (h) M/s BEL (i) M/s N-Code Solutions Pvt. Ltd (j) M/s Technology Nexus Secured Business Solutions (k) M/s Inspira Pvt. Ltd (l) M/s Em Signer (m) M/s BECIL (n) M/s Microsoft (o) M/s KNM Associates (p) M/s Logix Net Soln Pvt Ltd (q) M/s Futuresoft Solutions Pvt Ltd (r) M/s MROTEK (s) M/s E-Mudhra Ltd (t) M/s Source Dot Com Pvt Ltd (u) M/s PC Solutions (v) M/s Krypto Agile

3. At the outset the Chairman welcomed everyone present and thanked everyone for the enthusiastic participation. To begin with the proceedings of the meeting, the Chairman clarified the following points:-

(a) At this juncture, all queries related to technical issues, bill of material and allied terms & conditions would be discussed/ clarified. (b) No changes in RFP that carry any additional financial implication would be advisable and feasible at this stage. (c) The terms & conditions mentioned at Part-III and Part-IV of RFP are standards terms & conditions required as part of Defence Procurement Manual (DPM) – 2009 and are non-negotiable. (d) Necessary product certification details sought as part of this RFP are to be provided as the project pertains to security of networks.

2

(e) Bids to be prepared meticulously and no overwriting and errors in calculations are permissible. (f) Calculation of taxes is to be done as per extant regulations.

4. Thereafter, JDIT read out the cardinal timelines of the RFP that had to be adhered by all bidders. JDIT also amplified the timelines to be followed for the RFP process. The queries/ points that were raised by the prospective bidders in their correspondences to the steering directorate were discussed. The summary of discussions and decisions/ clarifications have been placed at Appendix A of this document. 5. To conclude, the Chairman thanked all the representatives for participation and further emphasized that, suggestions for change in specifications, qualification criteria and any other change that would carry additional financial implication is not possible at this stage. The clarifications discussed during the meeting would be published as MoM of the Pre-bid meeting as corrigendum to RFP at both websites www.eprocure.in, www.tenders.gov.in and www.indiannavy.nic.in. 6. There being no further points, the meeting was closed. These minutes of meeting has the approval of competent authority.

Sdxx (Piyush Baranwal) Commander JDIT 14 Jul 17 File No:- PC-15-IT/0622/04

3

Appendix A (refers to para 4)

PRE-BID QUERY – CLARIFICATIONS

Ser. RFP Ref Vender Queries Reply from Indian Navy

M/s Amtrak Systems Pvt. Ltd. , M/s C-DAC

1 Page 40, Point 2 Server to be populated with minimum 128 GB DDR4 Memory or higher 2400MT/s RDIMMs expandable Up to 384GB.

Query: Kindly upgrade the memory from 384 to 768 GB.

Justification: Server to be populated with minimum 128 GB DDR4 Memory or higher 2400MT/s RDIMMs expandable Up to 768 GB.

As per RFP

2 Page 40, Point 7 Four10 GBE ports on minimum two cards Query: Kindly specify cards. Justification: Please specify 10G Base T or SFP+.

It is clarified that Four 10 GBE ports

(SFP+) on minimum two cards to be

provided

3 Page 40, Point 8 Each Rack Server should be configured with two quantities of 8/16 Gbps FC Ports with transceivers. FCoE ports may be also provided in a different configuration as long as overall connectivity requirements are satisfied. Query: Kindly delete FCOE as it is specific to ONE OEM. Justification: FCoE will not surface the requirement of FC. Request you to please delete. "Please specify 10G Base T or SFP+FCoE ports may be also provided in a different configuration as long as overall connectivity requirements are satisfied."

Open Source information indicates

that FCOE is not OEM specific.

However, for connectivity

requirements, it is clarified 10G Base

T/ SFP/ FCoE ports may be also

provided in a different configuration

as long as overall connectivity

requirements are satisfied.

4 Page 40, Point 11 SIs should provide embedded features that helps to manage Servers in physical, local and remote environments, operating in-band or out-of-band, with or without a systems management software agent. Query: Please change SI to OEM. Justification: It is should be OEM not SIs should provide embedded features that helps to manage Servers in physical, local and remote environments, operating in-band or out-of-band, with or without a systems management software agent.

It is clarified that OEM/ SIs should

provide embedded features that helps

to manage Servers in physical, local

and remote environments, operating

in-band or out-of-band, with or without

a systems management software

agent

5 Page 41, Point 13 The server should be able to alert impending failures on maximum number of components. The components covered under alerting mechanism should at least include Processors, memory, PCIe slots, VRMs, power supplies, fans, hard disk drives. Query: Please delete PCIe slot, VRM, Power supplies and FANS. Justification: Please get the same changed to The server should be able to alert impending failures on maximum number of components. The components covered under alerting mechanism should at least include Processors, memory, hard disk drives.

As per RFP

6 Page 41, Point 16 Smart Embedded Systems Management should be able to automate task like discovery deploy monitor and update. Query: Kindly Remove Smart as it is specific to one OEM. Justification: Embedded Systems Management should be able to automate task like discovery deploy monitor and update.

Open source information and

discussions during Pre-bid

conference indicates ‘Smart’ is not

specific to OEM. Further, if the

hardware provides the desired

functionalities the same is acceptable.

Hence, as per RFP.

7 Page 42, Point 9 Cooling : Should have inbuilt Rack cooling of capacity of 3 Ton or more

UPS Capacity: Should be supplied with Min 12 KVA rack-mounted UPS with Minimum backup 20 Min backup at full load. SMF Batteries

Intelligent Rack PDU

LCD TRAY with populated LCD / LED Screen

Keyboard / Mouse to be supplied in a Keyboard Tray. Compatible with the supplied KVM Switch Query: Please clarify that Cooling system is required with redundancy. Please clarify that UPS system is required with redundancy.

It is clarified that no redundancy is

required. Hence, as per RFP.

4

M/s Deloitte India Pvt. Ltd.

8 Page 8, Point 3(a) Two sites – Primary site and DR Site with exactly same configuration.\

Query: We request you to confirm whether the Hardware quantity for DR is the same as that of the Primary site.

It is clarified that the hardware and

software at both locations is identical.

9 Page 9, Point 6(a) (viii) Verification of historical signatures

Query: We request you to elaborate on “Verification of historical signatures”.

The requirement of verification of

historical signatures is required for

corroboration of signatures on

documents. It is envisaged that the

same may be required for regulatory,

forensic and audit purposes.

10 Page 11, Point 7(b) (v) Interaction with CCA for registering Indian Navy as CA which includes the creation and validation of all the required documents like CPS, agreements, contracts and

other documentation including Liaison with the CCA, GoI and other Agencies. Towards this application fee and miscellaneous expenditure is to be borne by the

bidder.

Query: We would like to mention that while the bidder shall bear the Application fee and other expenses, the Bank Guarantee of INR 50 Lakhs should be borne by the

Indian Navy. Hence, we request you to modify the clause as follows:

Interaction with CCA for registering Indian Navy as CA which includes the creation and validation of all the required documents like CPS, agreements, contracts and

other documentation including Liaison with the CCA, GoI and other Agencies. Towards this application fee and miscellaneous expenditure is to be borne by the

bidder. Bank Guarantee required, if any, in this process will be borne by the Navy.

It is clarified that application fee and

miscellaneous expenditure is to be

borne by the bidder. Bank Guarantee

if required, in this process will be

borne by the Navy.

11 Page 12, Point 8 (d) All required audits by CCA shall be presented by SI, including third party audit, and audit by STQC till certifications by CCA.

Query: We request you to provide the purpose and scope of the STQC audits.

It is understood from CCA, that prior

CCA undertaking audit, it may direct

STQC to audit the premises. It is for

this reason that STQC audit has been

included in the scope.

12 Page 12, Point 9 Following additional certificate courses to be conducted/ provided by SI with certification at SI’s cost

Query: We request you to modify the clause as follows:

Following additional certificate courses to be conducted/ provided by SI with certification at SI’s cost (SI to pay the exam fee only once)

It is clarified that the SI has to bear

the examination fee only once.

13 Page 13, Point 10(b) Warranty

Query: We request you to elaborate on the warranty of PKI tokens.

It is clarified that warranty of the

tokens is only for one year from the

date of supply (part II para 5 of RFP

refers).

14 Page 13, Point 10(c) (d) AMC, Optional Additional AMC

Query: We request you to clarify whether "AMC" and "Optional Additional AMC" are for the same duration i.e., post completion of warranty or "Optional Additional

AMC" will commence after the warranty.

It is clarified that level of services for

warranty, AMC and optional

additional AMC is same. On

completion of warranty, AMC will

commence. Thereafter, Indian Navy

may enter into a contract for

additional AMC with the successful

bidder based on the negotiated price.

This contract for additional AMC may

be drawn within three months post

expiry of the AMC contract at the sole

discretion of Indian Navy.

15 Page 14, Point 13 (d) Deployment of two Online Subordinate CAs in cluster in primary site, which will issue and manage the certificates for various purposes. CAs will be built in cluster for

providing high availability within the same site and with similar configuration in DR site as well.

Query: We request you to clarify if we can propose a better architecture or the architecture is pre-decided?

It is clarified that two CAs in cluster in

primary site, which will issue and

manage the certificates for various

purposes. CAs will be built in cluster

5

e.g., As all CAs will be implemented on VMs, we recommend that HA to be managed via hypervisor. We also recommend that the CA instances should be clustered

between DC and DR, instead of two instances at each location.

Also, two CA instances can be used for different purposes like issuance of device certs from one CA and user certs from another.

for providing high availability within

the same site and with similar

configuration in DR site as well. In

case, if the bidder proposes a better

architecture without any additional

cost implications the same can be

considered post concurrence.

16 Page 15, Point 13 (h) Certificate enrolment mechanisms using Auto Enrollment, Web Enrolment pages and Network Device Enrolment Services (NDES, the SCEP-compatible service). Two

dedicated Web servers will be deployed to host the Web Enrolment and NDES services.

Query: We request you to clarify if both servers will have both services i.e., NDES and Web Enrollment or one service each?

Also, request you to clarify if SI needs to supply these dedicated Web Servers for Web enrolment & NDES services or Navy will be providing the same.

The bidder is to make every effort to

utilize the hardware supplied within

the scope of the RFP. Additional,

hardware if required separately for

enrolment purposes will be provided

by Indian Navy

17 Page 15, Point 13 (i) Segment PKI systems of Indian Navy into networks or zones based on their functional, logical, and physical (including location) relationship.

Query: We would like to mention that, as best practices, zones should have different CA Servers. With only two CA Instances, inter-zone traffic have to be allowed.

It is amplified that the requirements to

create Zones have been indicated

from security perspective. Indian

Navy will provide the necessary

hardware for undertaking zoning,

however the configuration have to be

undertaken by the bidder.

18 Page 15, Point 13 (o) Provision for automatic generation of all reports, as required by CCA, should be made in software. Number of reports shall be up to 5 or as per CCA requirements

whichever is more.

Query: We request you to elaborate on the scope to be covered in these reports.

As per discussions with CCA certain

reports/ returns are be sent to CCA.

In anticipation, five reports have been

asked in scope.

19 Page 16, Point 17 The Navy will be responsible for providing all relevant documents and data related to Indian Navy’s organizational, functional and other procedures as may be relevant

for design and development of the PKI solution and can be made available as required in accordance with the project plan. Access to designated sites/ establishments

of Navy would be provided. Indian Navy will nominate a nodal Officer who will be the point of contact for all services.


The Navy will be responsible for providing all relevant documents and data related to Indian Navy’s organizational, functional and other procedures as may be relevant

for design and development of the PKI solution and can be made available as required in accordance with the project plan. Access to designated sites/ establishments

of Navy would be provided. Indian Navy will nominate a nodal Officer who will be the point of contact for all services.

(i) The Navy is responsible for determining that the scope of the Services is appropriate for its needs.

(ii) The Navy shall cooperate with the firm in the performance of the Services, including, without limitation, providing reasonable facilities and timely access to data,

information and personnel of the Navy. The Navy shall be responsible for the performance of its personnel and agents, for the timeliness, accuracy and completeness

of all data and information (including all financial information and statements) provided to Navy by or on behalf of the Navy and for the implementation of any advice

provided as part of the Services. The firm may use and rely on information and data furnished by the Navy or others without audit or verification. The firm’s

performance shall be dependent upon the timely performance of the Navy’s responsibilities under the Contract and timely decis ions and approvals of the Navy in

connection with the Services. The firm shall be entitled to rely on all decisions and approvals of the Navy.

(iii) Except as otherwise provided in the contract, the Navy shall be solely responsible for, among other things: (A) making all management decisions and performing

all management functions; (B) designating one or more individuals who possess suitable skill, knowledge, and/or experience, preferably within senior management to

oversee the Services; (C) evaluating the adequacy and results of the Services; (D) accepting responsibility for the results of the Services; and (E) establishing and

maintaining internal controls, including, without limitation, monitoring ongoing activities.

(iv) Unless the contract specifies other arrangements, the Navy agrees that any Deliverables will be deemed accepted by the Navy (and the Services, or the relevant

part of them complete) within 10 days of their delivery, upon their delivery in their final form or when the Navy first makes use of them in its business, whichever comes

It is clarified that the same cannot be

included at this stage. Hence, as per

RFP.

6

first.

20 Page 17, Point 18 (n) The data provided to the SIs towards development of the project would need to be utilised in Naval premises only and would in no case be allowed to be taken out of

naval premises in any form including electronic / digital form. In addition, the SIs must maintain necessary secrecy and confidentiality of the data provide by the Navy

during the process of execution of the project. All the personnel deputed by the SIs for the project would deem to be under Official Secrets Act. In addition, the SIs is

required to sign a Non-Disclosure Agreement with Navy regarding the use of data related to project.

Query: We request you to clarify if Navy would be providing laptop / desktop with OS & Office tools for the project as the vendor isn’t allowed to bring the IT

equipment.

It is clarified that IN would be

providing laptop / desktop with OS &

Office tools for the project as the

vendor isn’t allowed to bring the IT

equipment.

21 Page 18, Point 24 Payment Stages

Query: Generally, the payment for the Hardware and Software are linked to the supply & commissioning. Hence, we request if the payment for the Hardware &

Software can be made within 60 days of the commissioning of the same. The payment for the services can follow the stages mentioned in your RFP.

(a) BIDDER’s invoices are due and payable by the Bank upon presentation. For invoices upon which payment is not received within thirty (30) days of the invoice date,

BIDDER reserves the right to charge 1% per month simple interest. Without limiting its other rights or remedies, BIDDER shall have the right to suspend or terminate

the Services entirely or in part if payment is not received within thirty (30) days of the invoice date. The Bank shall be responsible for all taxes, such as VAT, sales and

use tax, gross receipts tax, withholding tax, and any similar tax, imposed on or in connection with the Services, other than BIDDER’s income and property taxes.

(b) Any estimate of the fees involved in the Services will be based upon BIDDER's assessment of the work involved, taking account of any assumptions set out in the

Engagement Letter. Unless BIDDER has agreed otherwise in the Engagement Letter, BIDDER's fees may be adjusted, for example, if the Services prove more

complex or time consuming than expected.

As per RFP

22 Page 20 ESSENTIAL DETAILS OF ITEMS/ SERVICES REQUIRED

Query: Request you to add the following clause:

Confidentiality

(a) To the extent that, in connection with this Contract, either CONTRACTOR or the NAVY (the “receiving party”) comes into possession of any information, trade

secrets or other proprietary information relating to the other (the “disclosing party”) which is designated in writing by the disclosing party as ‘Confidential Information’

(the “Confidential Information”), it shall not disclose such Confidential Information to any third party without the disclosing party’s consent except to the NAVY’s or

CONTRACTOR’s legal advisors solely for the purpose of obtaining legal advice, or as may be required by law, regulation, judicial or administrative process, or to the

extent that such Confidential Information (A) shall have otherwise become publicly available (including, without limitation, any information filed with any governmental

agency and available to the public) other than as the result of a disclosure by the receiving party in breach hereof, (B) becomes available to the receiving party on a

non-confidential basis from a source other than the disclosing party which the receiving party believes is not prohibited from disclosing such information to it by

obligation to the disclosing party, (C) is known by the receiving party prior to its receipt from the disclosing party without any obligation of confidentiality with respect

thereto or (D) is developed by the receiving party independently of any disclosures made by the disclosing party to the receiving party of such information. In

satisfying its obligations under this Paragraph 32(a), each party shall maintain the other’s Confidential Information in confidence using at least the same degree of care

as it employs in maintaining in confidence its own Confidential Information, but in no event less than a reasonable degree of care. The obligations imposed by this

clause 32 (a) shall survive the termination of this Contract for a period of one (1) year

(b) Disclosure by CONTRACTOR. The NAVY also consents to CONTRACTOR disclosing Confidential Information (i) to any Contractor Entity and to any

Subcontractors that have agreed to be bound by confidentiality obligations similar to those in this paragraph 32 and (ii) to its auditors, insurers or in accordance with

applicable professional standards, or in connection with potential litigation.

(c) In the performance of the Services, any Contractor Entity or any Subcontractor may communicate or discuss the affairs of the NAVY with the other advisers of the

NAVY and may do so free from any obligation of confidentiality.

(d) The NAVY acknowledges that CONTRACTOR, in connection with performing the Services, may develop or acquire general knowledge, experience, know-how,

skills and ideas that are retained in the memory of its personnel. Notwithstanding anything to the contrary herein, the NAVY acknowledges and agrees that

CONTRACTOR may use such general knowledge, experience, know-how, skills and ideas.

(e) Nothing contained herein will prevent or restrict any Contractor Entity, including CONTRACTOR, from providing services to other NAVYs (including services which

are the same or similar to the Services) even if those other NAVYs’ interests are in competition with the NAVY. To the extent that CONTRACTOR possesses

information obtained under an obligation of confidentiality to another NAVY or other third party, CONTRACTOR is not obliged to disclose such information to the

The Confidentiality and Non

Disclosure Agreement is to be guided

by Appendix A of RFP. Hence, as per

RFP.

7

NAVY, or use it for the benefit of the NAVY, however relevant it may be to the Services.

(f) In addition, the NAVY acknowledges and agrees that any such information that comes to the attention of CONTRACTOR in the course of performing this

engagement may be considered and used by any Contractor entity rendering accounting services in the context of responding to its professional obligations as the

independent accountants for the NAVY.

(g) The NAVY agrees to reimburse any costs any Contractor Entity or any Subcontractor may incur in complying with any legal, professional or regulatory disclosure

requirement relating to any of the Services imposed in any proceedings or regulatory process not involving any substantive claim or proceeding against any such

Contractor Entity or Subcontractor, provided the NAVY is notified promptly and, where reasonably or legally possible, prior to disclosure.

(h) Disclosure and use by NAVY. Notwithstanding Clause 32 (a) above, the NAVY shall not disclose to any third party the advice, opinions, reports or other work

product of CONTRACTOR provided hereunder without the express written consent of CONTRACTOR, except (i) where applicable laws, regulations, rules and

professional obligations prohibit limitations on disclosure, (ii) in the event that the NAVY or its affiliates have securities registered with the United States Securities and

Exchange Commission and any Contractor Entity is the auditor of the NAVY or any of its affiliates, in which case there are no restrictions or limitations on the

disclosure of CONTRACTOR’s advice, opinions, reports and other work product provided hereunder, or (iii) to the extent the Un ited States Internal Revenue Code and

applicable Internal Revenue Service guidance relating to confidential tax shelters (or comparable law or guidance from other taxing authorities) apply, in which case

there are no restrictions or limitations on the disclosure of CONTRACTOR’s advice, opinions, reports and other services. The NAVY shall use the advice, opinions,

reports or other work product of CONTRACTOR solely for the purposes specified in the engagement letter and, in particular, shall not, without the prior written consent

of CONTRACTOR, use any advice, opinion, report or other work product of CONTRACTOR in connection with business decisions of any third party or for

advertisement purposes. All Services are only intended for the benefit of the NAVY. The mere receipt of any advice, opinions, reports or other work product by any

other persons is not intended to create any duty of care, professional relationship or any present or future liability between those persons and CONTRACTOR. As a

consequence, if copies of any advice, opinions, reports or other work product (or any information derived therefrom) are provided to others under the above

exclusions, it is on the basis that CONTRACTOR owes no duty of care or liability to them, or any other persons who subsequently receive the same.



Limitation of Liability

a. Nothing in this Contract shall exclude or restrict or prevent a Claim being brought in respect of:

(i) any liability finally judicially determined to arise primarily from the fraud or bad faith of any Deloitte Entity or any Subcontractor; or

(ii) any other liabilities which cannot lawfully be limited or excluded, save to the extent permitted by law.

b. The Company agrees that CONTRACTOR shall not be liable to the Company for any Losses for an aggregate amount in excess of the fees paid by the Company

to CONTRACTOR under the Contract.

c. In circumstances where the provisions of state contrary herein, are finally judicially determined to be unenforceable, no Deloitte Entity or Subcontractor shall be

liable to the Company for any Losses for an aggregate amount in excess of the fees paid under the Contract.

d. In no event shall any Deloitte Entity or Subcontractor be liable for any loss of use, contracts, data, goodwill, revenues or profits (whether or not deemed to

constitute direct Losses) or any consequential, special, indirect, incidental, punitive or exemplary loss, damage, or expense relating to this Contract or the Services.

e. In circumstances where all or any portion of the provisions of this paragraph 33 are finally judicially determined to be unenforceable, the aggregate liability of

CONTRACTOR and any other Deloitte Entity or Subcontractor for any Loss shall not exceed an amount which is proportional to their relative responsibility for the Loss

to which the Claim relates taking into account the contributory negligence (if any) of the claimant and the responsibility and/or liability of any third party.

f. CONTRACTOR will not be liable for Losses arising as a result of the provision of false, misleading or incomplete information or documentation or the withholding or

concealment or misrepresentation of information or documentation by any person other than a Deloitte Entity or a Subcontractor.

As per RFP



Indemnification

The Navy shall indemnify and hold harmless selected bidder for all Losses incurred in connection with any third party Claim, except to the extent finally judicially

determined to have resulted primarily from the fraud or bad faith of selected bidder.

As per RFP

8



Ownership of BIDDER Property & Work Products

On payment of all of BIDDER’s fees in connection with this Contract, the Company shall obtain a non-exclusive license to use within its internal business, subject to

the other provisions of this Contract, any Deliverables or work product for the purpose for which the Deliverables or work product were supplied. BIDDER retains all

rights in the Deliverables and work product, and in any software, materials, know-how and/or methodologies that BIDDER may use or develop in connection with this

Contract.

As per RFP

26 Page 22, Point 6 In case it is found to the satisfaction of the Buyer that the Seller has engaged an Agent or paid commission or influenced any person to obtain the contract as

described in clauses relating to Agents/Agency Commission and penalty for use of undue influence, the Seller, on a specific request of the Buyer, shall provide

necessary information/ inspection of the relevant financial documents/information.

Query: Request you to modify the clause as follows:

In case it is found and adjudged by the Appellant Court to the satisfaction of the Buyer that the Seller has engaged an Agent or paid commission or influenced any

person to obtain the contract as described in clauses relating to Agents/Agency Commission and penalty for use of undue influence, the Seller, on a specific request of

the Buyer, shall provide necessary information/ inspection of the relevant supporting documents / information and invoices pertaining to services

The Part III and Part IV of RFP are as

per the standard clauses in

accordance with the existing

regulations i.e Defence Procurement

Manual – 2009. These clauses

cannot be changed. Hence, as per

RFP.

27 Page 22, Point 8 In the event of the Seller’s failure to submit the Bonds, Guarantees and Documents, supply the stores/goods and conduct trials, installation of equipment, training, etc.

as specified in this contract, the Buyer may, at his discretion, withhold any payment until the completion of the contract. The BUYER may also deduct from the

SELLER as agreed, liquidated damages to the sum of 0.5% of the contract price of the delayed/undelivered stores/services mentioned above for every week of delay

or part of a week (beyond the contracted delivery period), subject to the maximum value of the Liquidated Damages being not higher than 10% of the value of delayed

stores/services.


In the event of the Seller’s failure to submit the Bonds, Guarantees and Documents, supply the stores/goods and conduct trials, installation of equipment, training, etc.

as specified in this contract, the Buyer may, at his discretion, withhold any payment until the completion of the contract. The BUYER may also deduct from the

SELLER as agreed, liquidated damages to the sum of 0.5% of the contract price of the balance services mentioned above for every week of delay or part of a week

(beyond the contracted delivery period), subject to the maximum value of the Liquidated Damages being not higher than 10% of the value of delayed stores/services.







RFP.

28 Page 23, Point 9 (d) The Buyer has noticed that the Seller has utilised the services of any Indian/Foreign agent in getting this contract and paid any commission to such

individual/company etc.

(e) As per decision of the Arbitration Tribunal.


(d) The Buyer has noticed that the Seller has utilised the services of any Indian/Foreign agent in getting this contract and paid any commission to such

individual/company

(e) As per decision of the Arbitration Tribunal.

Unless terminated sooner in accordance with its terms, this Contract shall terminate once the Services have been performed. This Contract may be terminated by

BIDDER at any time, with or without cause, by giving written notice to the other party not less than thirty (30) days before the effective date of termination, provided

that, in the event of a termination for cause, the breaching party shall have the right to cure the breach within the notice period. BIDDER may terminate this Contract

with immediate effect upon written notice to the Client if BIDDER determines that (a) a governmental, regulatory, or professional entity, or an entity having the force of

law, has introduced a new, or modified an existing, law, rule, regulation, interpretation, or decision, the result of which would render BIDDER’s performance of any part

of the Contract illegal or otherwise unlawful or in conflict with independence or professional rules, or (b) circumstances change (including, without limitation, changes in

ownership of the Client or any of its Affiliates) such that BIDDER’s performance of any part of the Contract would be illegal or otherwise unlawful or in conflict with

independence or professional rules. Upon termination of the Contract, the Client will compensate BIDDER under the terms of the Engagement Letter for the Services

performed and expenses incurred through the effective date of termination.







RFP.

29 Page 23, Point 12 The prices stated in the present Contract shall be deemed to include all amounts payable for the use of patents, copyrights, registered charges, trademarks and

payments for any other industrial property rights. The Seller shall indemnify the Buyer against all claims from a third party at any time on account of the infringement of

any or all the rights mentioned in the previous paragraphs, whether such claims arise in respect of manufacture or use. The Seller shall be responsible for the

completion of the supplies including spares, tools, technical literature and training aggregates irrespective of the fact of infringement of the supplies, irrespective of the

fact of infringement of any or all the rights mentioned above.






9


The prices stated in the present Contract shall be deemed to include all amounts payable for the use of patents, copyrights, registered charges, trademarks and

payments for any other industrial property rights. The Seller shall indemnify the Buyer against all claims from a third party at any time on account of the infringement of

any or all the rights mentioned in the previous paragraphs, whether such claims arise in respect of manufacture or use. The Seller shall be responsible for the

completion of the supplies including spares, tools, technical literature and training aggregates irrespective of the fact of infringement of the supplies, irrespective of the

fact of infringement of any or all the rights mentioned above.

Provided that this indemnity shall not apply in the following cases: (a) the modification of the Consultant’s deliverables provided under its services by any person other

than the Consultant or its personnel (b) Client’s failure to use any modification to the Consultant’s deliverables provided under its services made available by

Consultant where use of such modification would have avoided the infringement; (c) information, materials instructions or specifications that are themselves infringing

which are provided by or on behalf of the Client or which the Client requests or requires the Consultant to use; or (d) the use of the Consultant’s deliverables provided

under its services in a manner not agreed to hereunder; provided that the Client gives the Consultant written notice of any such claim and sole control over the

defense of any such claim.


RFP.

30 Part III Query: We would request you to consider our General Business Terms (GBT) at the time of signing the Contract Agreement.

We would request you to consider our System Testing Agreement (STA) for the VAPT services sought at the time of signing the Contract Agreement.

We would like to know if including our GBT and STA for your consideration with the Technical Bid is permitted.







RFP.

31 Page 27, Point 2,3 Option Clause, Tolerance Clause

Query: We request you to provide more clarity and differentiate these two clauses

It is clarified that Tolerance clause is

exercised to take care of any change

in requirements upto 20% plus/minus

during the period starting from issue

of RFP till placement of the contract.

In case of an Option Clause, the

buyer can exercise an option to

procure 50% of the original

contracted services/ goods i.a.w the

same terms and conditions of the

contract. Option clause will be

applicable during the currency of

contract. Part IV para 2 and 3 of RFP

refers.

32 Page 29, Point 8(d) Any excess of the purchase price, cost of manufacturer, or value of any stores procured from any other supplier as the case may be, over the contract price

appropriate to such default or balance shall be recoverable from the SELLER. Such recoveries shall not exceed 10% of the value of the contract.”

Query: The navy has remedy for termination and invoking PBG, it should not levy additional cost on the Bidder. Hence, we request you to modify the clause as

follows:

(d) Any excess of the purchase price, cost of manufacturer, or value of any stores procured from any other supplier as the case may be, over the contract price

appropriate to such default or balance shall be recoverable from the SELLER by invoking the PBG







RFP.

33 Page 30, Point 11 Any dispute between the parties shall be resolved mutually by the parties. If the dispute cannot be resolved by mutual consultation between the parties, the same shall

be resolved in accordance with provisions of Arbitration and Conciliation Act, 1996 and rules framed there under as may be amended from time to time or its re-

enactment. Place of Arbitration shall be Delhi. The Arbitrator will be appointed by the Indian Navy and decision of the Arbitrator shall be final and binding on the

parties.


Any dispute between the parties shall be resolved mutually by the parties. If the dispute cannot be resolved by mutual consultation between the parties, the same shall

be resolved in accordance with provisions of Arbitration and Conciliation Act, 1996 and rules framed there under as may be amended from time to time or its re-

enactment. Place of Arbitration shall be Mumbai. The Arbitrator will be appointed on mutual agreed basis and decision of the Arbitrator shall be final and binding on the







RFP.

10

parties.

34 Page 34 CONFIDENTIALITY AND NON DISCLOSURE AGREEMENT

The Indian Navy and the SIs shall keep confidential and shall not, without the written consent of the other party hereto, divulge to any third party any documents, data

or other information furnished directly or indirectly by the other party hereto in connection with the Contract, whether such information has been furnished prior to,

during or following termination of the Contract. Notwithstanding the above, the SIs may furnish to its Subcontractor(s) such documents, data and other information it

receives from the Navy to the extent required for the Subcontractor(s) to perform its work under the Contract, in which event SIs shall obtain from such

Subcontractor(s) an undertaking of confidentiality similar to that imposed on this SIs under this Clause. SIs also undertakes not to use any information gained by virtue

of this project, in any form, to prepare, develop, market or sell any system or product for utilization by any other client. The provisions of this Clause shall survive

termination, for whatever reason, of the Contract.


The Indian Navy and the SIs shall keep confidential and shall not, without the written consent of the other party hereto, divulge to any third party any documents, data

or other information furnished directly or indirectly by the other party hereto in connection with the Contract, whether such information has been furnished prior to,

during or following termination of the Contract. Notwithstanding the above, the SIs may furnish to its Subcontractor(s) such documents, data and other information it

receives from the Navy to the extent required for the Subcontractor(s) to perform its work under the Contract, in which event SIs shall obtain from such

Subcontractor(s) an undertaking of confidentiality similar to that imposed on this SIs under this Clause. SIs also undertakes not to use any information gained by virtue

of this project, in any form, to prepare, develop, market or sell any system or product for utilization by any other client. The provisions of this Clause shall survive

termination, for whatever reason, of the Contract for a period of One (1) year from effective date of termination.

This Agreement shall terminate once services are being performed or by written notice to other party of not less thirty (30) days.

To the extent that, in connection with this contract, either SI or the NAVY (the “receiving party”) comes into possession of any information, trade secrets or other

proprietary information relating to the other (the “disclosing party”) which is designated in writing by the disclosing party as ‘Confidential Information’ (the “Confidential

Information”), it shall not disclose such Confidential Information to any third party without the disclosing party’s consent except to the NAVY’s or SI’s legal advisors

solely for the purpose of obtaining legal advice, or as may be required by law, regulation, judicial or administrative process, or to the extent that such Confidential

Information (A) shall have otherwise become publicly available (including, without limitation, any information filed with any governmental agency and available to the

public) other than as the result of a disclosure by the receiving party in breach hereof, (B) becomes available to the receiving party on a non-confidential basis from a

source other than the disclosing party which the receiving party believes is not prohibited from disclosing such information to it by obligation to the disclosing party, (C)

is known by the receiving party prior to its receipt from the disclosing party without any obligation of confidentiality with respect thereto or (D) is developed by the

receiving party independently of any disclosures made by the disclosing party to the receiving party of such information. In satisfying its obligations under this clause,

each party shall maintain the other’s Confidential Information in confidence using at least the same degree of care as it employs in maintaining in confidence its own

Confidential Information, but in no event less than a reasonable degree of care.

In no event shall either party, its affiliates, or related entities be liable for consequential, special, indirect, incidental, punitive or exemplary loss, damage, or expense

relating to this Agreement (whether in contract, statute, tort (such as negligence), or otherwise).

This is standard Confidentiality clause

of Indian Navy. Hence, as per RFP.

35 Page 47, Point 11 CRLs should be supported with configurable format, issuing period etc. It should be possible to use indirect CRLs, which are not signed by the CA, but by a delegated

instance.

Query: We would like to mention that this is not recommended for Navy and hence the feature should be removed.

It is amplified that CRLs should be

supported with configurable format,

issuing period etc. The feature to use

indirect CRLs, which may be signed

by the CA, or by a delegated instance

is optional.

36 Page 48, Point 21 CA key management, Root-CA and Sub-CA certification, CA policy management: It should be possible to manage any number of CAs in any hierarchy in the same

system. The CAs should possibly have different CA policies

Query: We would like to mention that this is not recommended for Navy and hence the feature should be removed.

It is clarified that in a hierarchy the CA

should be able to manage multiple

sub-CA.

37 Page 48, Point 26 Multi-tenancy, delegated CA management: it should be possible to define administration domains with separation with respect to visibility and access to CAs, policies,

roles, CA users, logs etc.

Query: We would like to mention that Multi-tenancy is not recommended for Navy and hence the feature should be removed.

It is clarified that with delegated CA

management it should be possible to

define administration domains with

separation with respect to visibility

and access to CAs, policies, roles,

CA users, logs etc and Multi tenancy

feature is optional

11

38 Page 48, Point 29 There should be a powerful API (preferably Web Services protocol) that supports certification, revocation, delayed publication for any end entity as well as to retrieve

user and certificate information. The API should be access controlled and multi-tenant capable.

Query: We would like to mention that Multi-tenancy is not recommended for Navy and hence the feature should be removed.

It is clarified that the API should be

access controlled and feature of

multi-tenant capability is optional.

39 Page 49, Point 37 All relevant user actions (e.g. registration, certification, revocation etc.) should be logged in a digitally signed revision safe audit trail (transaction log), which is audit-

able. Relevant actions require commitment signatures of the user(s). Critical actions (e.g. CA management) require commitment signatures of more than one officer.

Query: We would like to mention that logging in digitally signed is not a standard practice and may not be available with all CA applications. Hence, request you to

look into this.

It is clarified that all relevant user

actions (e.g. registration, certification,

revocation etc.) should be logged in a

revision safe audit trail (transaction

log), which is audit-able. The logs

generated should be in compliance of

extant GOI regulations/ CCA if any.

40 Page 49, Point 41 All sensitive tasks should require 4-eyes-principle

Query: 4-eye principle should be replaced with split control as 4-eye principle is vendor specific. This will ensure fair playing field for all the vendors and encourage

more vendors to participate.

It is amplified that the requirement is

that all sensitive tasks should be

undertaken using segregation of

duties with a minimum of two people

at CA application level or at HSM

level.

41 Page 50, Point 56 Letter from the organization where the Solution has been implemented, confirming that CA Solution has been implemented in their organization and working

satisfactorily.

Query: We request you to modify the clause as follows to bring-in more clarity and to include both OEM/SI credentials:

OEM / SI vendor to share the letter from the organization where the Solution has been implemented, confirming that CA Solution has been implemented in their

organization and working satisfactorily.

The requirement is that the solution

being offered is in use satisfactorily at

some other organization. Hence, as

per RFP.

42 Page 50 AR CA shall support an OCSP capability using the GET or the POST method for DSC issued.

Query: We request you to clarify what “AR CA” means?

It is clarified that CA shall support an

OCSP capability using the GET or the

POST method for DSC issued

M/s Entrust Datacard Pvt Ltd.

43 If the solution architecture uses a data base/ RDBMS Solution Software must support MS SQL 2012 and Oracle 11g, if an RDBMS is used to store user, credential,

configuration, log or other data.

Query: The type of database product should not be relevant especially where there’s no additional licensing cost and it’s not a separate box to manage. Some

solutions use other Industry Standard Databases, which gets installed as part of the product install. For all practical purposes it’s a closed system and the database

element is transparent. What is the specific technical requirement (if any) that is behind the need for MS SQL and Oracle? Request you to change / modify this

clause to allow solution to us its own database if available? Plus customer saves cost here.

The databases specified in RFP are

from reputed vendors and in case if

MS SQL 2012 is proposed then

Indian Navy could provide the

licenses. It is further amplified, that

the bidder may also deploy any other

database from reputed vendors as

per design.

44 It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.

Query: Can we seek clarity around what is meant by “the same system”? Does the use of the word “system” relate to the overall solution? Please elaborate on what

the ask is here ?

It is clarified that the CA application is

required to run run in a hierarchical

manner within Indian Navy’s Intranet.

45 CRLs should be supported with configurable format, issuing period etc. It should be possible to use indirect CRLs, which are not signed by the CA, but by a delegated

instance.

Why is there a need to use “Indirect CRLs”? We believe this is a vendor specific clause and should be removed to allow more OEMs to participate/qualify.

It is amplified that CRLs should be

supported with configurable format,

issuing period etc. The feature to use

indirect CRLs, which may be signed

by the CA, or by a delegated instance

is optional.

46 Support of multiple HSMs (over PKCS#11 and JCE) for storing CA private keys and all other system keys.

Query: Why is there a need to communicate over JCE if Industry standard PKCS # 11 meets the requirements? Request you to please modify this clause to PKCS#11

It is clarified that support of multiple

HSMs (over PKCS#11 or JCE) for

storing CA private keys and all other

12

or JCE. system keys.

47 The product must offer centralized, secure management of CAs, policies and configuration data with GUI support.

Query: Please explain user use case about who manages each CA, what sort of roles in each location/geography manage CA’s both within and outside their usual

location/geographic region.

It is amplified that web management

using GUI is being sought for

management of the application within

Navy’s intranet.

48 SCEP should be supported. Only authorized (registered) SCEP devices should be granted with a certificate. Renewal over SCEP should be possible without an

additional registration. It should be possible to run different SCEP services for different CAs.

Query: Please elaborate on details around the type of devices typically involved and what their use case is.

It is clarified that SCPEP is envisaged

to be used for network devices within

Indian Navy like Routers, VPN etc.

49 CMP should be supported – System should support

Certificate enrollment part of Certificate Management

Protocol (CMP) v2 as profiled by 3GPP TS 33.310 version 9.5.0 (ETSI TS 133 310 V9.5.0).

Query: Please elaborate on details around the type of devices typically involved and what their use case is.

Also would request this be modified to allow CMPv2 compliant enrollment service that supports RFC 4210. We have tested with Security Gateway products and have

built to the 3GPP specification but have yet to fully test with an eNodeB, would support eNodeB in roadmap (part of 3GPP specs.)

It is clarified that CMPv2 compliant

enrollment service that supports RFC

4210 is also acceptable.

50 Should support Active-Active type of high availability ensuring sub components that can be multiplied to match performance and fault tolerance needs.

Query: What exactly is the actual solution requirement is in terms of overall resilience, failover, integrity and response time. Is this really perceived as a “MUST” or

just a highly desirable and if so based upon what exact performance metric?

We have many referenceable installations where appropriate high availability solutions are deployed etc.

It is amplified that the support for

Active-Active type of high availability

is being sought for continuous

operations. In case if the product

offers High Availability through other

means or is there in the roadmap

without any financial implications, the

same is acceptable.

51 Support for different certificate profiles based on X.509 Public Key Certificates, Attribute Certificates, Card Verifiable Certificates (CVC) (e.g. ePassports), Tachograph

Certificates, Wireless TLS (WTLS) Certificates in conformance with the Wireless PKI (WPKI) specifications

Query: Please explain the need to support Tachograph Certificates. We believe this is a vendor specific clause and should be removed.

It is clarified that tachograph

certificates are optional feature.

52 Interface to external modules for secure communication with server applications

Query: We need more details here. What external modules are you referring to, what server applications? Some knowledge of those will provide information about

what sort of communications protocols are being used. All communications between our components are already secure so detail about what else they want to

connect to is required.

It is amplified that all communications

between the application and modules

should be secure.

M/s Gemalto Pvt. Ltd., M/s I-Value Pvt. Ltd.

53 Page 14, Point 14 Keys should always remain in Hardware and never reside in software in any form/ As per CCA Guidelines.

Query: We request you to please re-look into the same as the statement looks that "KEYS" in hardware is taken as optional feature, which is very important and

critical in nature.

CCA provides guidelines for minimum security requirement, However that should not become the highest benchmark, when we are going to develop a secure system.

Considering the fact that we will be using HSM i.e. "Hardware Security Module" that means that Keys should always be in Hardware and never be in software in any

form. If it will be in software at any point of time then its defeats the purpose of procuring / using HSM.

So we request to edit this clause as "Keys should always remain in Hardware and never reside in software in any form". HSM must comply with CCA Guidelines."

Justification: HSM should always capable of storing the KEYs inside the HSM only, and never allows to store the Keys in software no matter if the master Keys are

in HSM and rest of the keys are encrypted and kept in software. If the HSM keeps the Keys in software, there is a master wrapping key that is stored inside the HSM

but every other key is outside of the HSM. To put it plainly, the keys are kept in a file and are loaded into the HSM when they are needed. And this is where the

vulnerability lies .. the keys are stored in a file, and the security of the keys is related to the security of the file. I can make a copy of the file (because it sits on the

It is amplified that Indian Navy seeks

to procure HSM whose specifications

and features are in accordance with

CCA guidelines and would be

acceptable during CCA certification

audits.

13

filesystem) so I can use any root or Administrator privilege escalation vulnerability to get to the file and then and mount a brute force attack on this file and the HSM

has no control over this

54 Page 44, Point 29 Functions have to be secured using public key technology and functions have to be executed within tamper resistant hardware. The hardware design should allow for

programmable cryptography and custom functions

Query: Are we going to run custom made functions/Applications inside the HSM? If yes then this will make the FIPS certification invalid and as per CCA FIPS based

Hardware is must. Will that be fine? If not then request you to remove this clause.

Justification: To keep HSM FIPS complaint, in that case programmable HSM should be allowed for the same and as per CCA guidelines HSM should be FIPS

certfied for the security reasons.

It is clarified that the functions

generally use APIs of HSM. The

functions therefore in no manner

affect the security of the device as it

accesses the HSM only through the

APIs. Hence as per RFP.

M/s Tech Mahindra Pvt. Ltd.

55 Page 9, Point 6 No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by the

successful bidder, the same will be provisioned by Indian Navy

Query: Request to specify the available OS & DB version with Navy. Please clarify that requisite OS & DB licenses would be provided by Navy?

The following softwares are available

with Indian Navy:-

Server OS- Windows Server 2008

R2/ 2012 and 2012 R2

Database – MS SQL 2012 STD/

Enterprise

56 Page 9, Point 6 (b) The bidder may use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per

CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software).

Query: There are no workflow approvals specified by CCA -- this is to be decided by Navy. Also, CA system may have its own approval process which can be

integrated with AD & may not require share point. e-form integration workflow. Kindly elaborate.

It is clarified that certificate issuance

requests from work flow software

should be catered. The work flow

software should leverage/ integrate

with the IDAM(OEM CA) of Indian

Navy for credentials of the persons

requesting the certificate. The

designed workflow should comply to

CCA guidelines on issuance of

different class of certificates. The

applications that can be used for work

flow and available with Indian Navy

has been mentioned in the RFP. The

bidder may use the applications and

the licenses for same will be provided

by Indian Navy. The bidder is free to

use any other application in case if he

desires to. Further, in case of a CA

product having an inbuilt workflow the

same is also acceptable to Indian

Navy if it meets the overall

functionality requirements.

57 Page 39 Prime Bidder individually or jointly with Consortium partners should have experience of having successfully associated with a PKI project or a esign project during last

5 years ending last day of month previous to the one in which bids are invited.

Query: there haven’t been any recent RFPs for licensed PKI CA projects being executed by the prime bidders. Most of the enterprise/licensed CA are directly

executed by OEMs

We request Navy to change the clause for considering OEM credentials:

Prime Bidder individually / CA software OEM should have experience of having successfully associated with a PKI project or a esign project during last 5 years

ending last day of month previous to the one in which bids are invited.

It is clarified that prime Bidder

individually or jointly with Consortium

partners should have experience of

having successfully associated with a

PKI project or a E-sign project during

last 5 years ending last day of month

previous to the one in which bids are

invited.

14

Prime Bidder & CA Software OEM can submit a teaming agreement to Navy for scope of work and obligations at the contract stage.

58 Page 8 Indian Navy intends to deploy a highly secure Public Key Infrastructure (PKI) in order to provide trusted cryptographic keys (certificates) for securing its

communications, SSL, code signing, etc

Query: What are the type of certificates that are envisaged to be issued by the CA? (Digital signature, SSL, code signing etc). As per CCA guidelines, the CA for

issuing SSL and code signing certificates needs to be separate from that issuing User based certificates.

It is clarified that the immediate

requirement is of Digital signature.

However, the system should be

capable to issue/ support other

Certificates like SSL, code signing etc

59 Page 8 Audit

Query: Can we assume that all controls required for the CCA audit other than those specified in this RFP ,(physical, logical etc) would be met by the Indian Navy?

It is amplified that any Civil works or

any additional hardware which is

required for the project will be

undertaken by Navy. However, the

timely advise and offering of the same

to CCA for audits will be responsibility

of the bidder.

60 Page 8 Two set of Hardware running in HA and FT mode

Query: Is it possible that we can use the HA and FT features of the VMWare software already available with the Indian Navy for providing the solution?

It is clarified that Indian Navy uses

Hyper–V, functionalities available in

the application can be leveraged by

the bidder to achieve the objective.

61 Query: Is there any specified RPO/RTO between DC and DR? The desired RPO/ RTO between DC

and DR is 06 Hours/ 24 Hours

respectively

M/s BEL

62 Page 9, Point 6 Indian Navy as part of earlier procurement has procured requisite Microsoft Server, database, Virtualisation Environment and requisite User CAL licenses for internal

usages. No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by

the successful bidder, the same will be provisioned by Indian Navy.

Query: RFP States that Microsoft server and database licenses required during infrastructure setup by the successful bidder, the same will be provisioned by Indian

Navy.

We understood that the server licenses mentioned is Window server operating system. Please provide the version of present Windows Operating system

The following software’s are available

with Indian Navy:-

(a) Server OS - Windows Server

2008 R2/ 2012 and 2012 R2 (Std and

DataCenter)

(b) Database – MS SQL 2012 STD/

Enterprise

63 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: The RFP requirement states that a provision to recover data secured by keys in lost token should be provided as part of solution. Is the understanding correct, Please confirm.

The understanding is correct.

64 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: Please brief on the existing Key Escrow policy of the Navy.

It is clarified that currently there is no

key escrow mechanism existing in the

Navy as on date.

65 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: Since Key escrow is mentioned as per Navy policy, is the key pair generation for end clients to be centralised in HSM or key pair generation is to be done in token/ end systems/RA.

It is clarified that Key Pair generation

is to be done in tokens or as per CCA

guidelines/ Best practices.

66 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may

use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software). Query: The Para mentioned that Indian Navy currently has licenses for Microsoft Sharepoint 2013 Server, EMC2 documentation, CA identity manager and necessary client licenses and that that work flow software may leverage on same for development of work flows. We understand that the bidder can also provide new development of work flow software not using the existing components. Please confirm.

Clarification same as serial 56.

67 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may

use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software).

It is clarified that the work flow

software is envisaged to be

centralized software hosted in the

15

Query: Work flow software is envisaged to be centralised software hosted in the portal to be used for certificate issuance process. Please confirm. portal to be used for certificate

issuance process.

68 Page 10, Point 7(a) (ii) Configure Certificate Template for Issuing Systems (i.e. IDAMSystem of Indian Navy currently from CA Technologies) with up to 05 templates, any customization or

integration of creating workflow for request, issuance and approval mechanism, Security Support Systems, and Front-End / Internal-Support Systems by removing or

disabling all accounts, applications, services, and Front-End / Internal-Support Systems by removing or disabling all accounts, applications, services, protocols, and

ports that are not used in the CA's operations and allowing only those that are approved by the CA will be responsibility of Indian Navy and team @ Indian Navy. OEM

will be doing knowledge transfer to Indian Navy team and help in enabling Indian Navy to integrate PKI as back-end infrastructure for issuing certificate for request

from IDAM Solution of Indian Navy or even manual request or auto-enrolment request as default capabilities of Active Directory and Active Directory certificate

services.

Query: Template for issuing systems (i.e.) IDAM System of Indian Navy currently from CA technologies with up to 05 templates, any customization or integration of

creating workflow for request issuance, and approval mechanism.

This is understood as integration requirement with existing IDAM solution and additional to workflow software mentioned under Para 6(b).

Should PKI support certificate requests from IDAM, manual, default AD and ADCS or from work flow software.

It is clarified that certificate issuance

requests from work flow software

should be catered. The work flow

software should leverage/ integrate

with the IDAM of Indian Navy for

credentials of the persons requesting

the certificate.

69 Page 14, Point 11 Registering Authority is to be setup at five locations at New Delhi, Mumbai, Kochi, Vishakhapatnam and Karwar. The process of issuing certificates will be managed by

Indian Navy however it must be supported by the SI during the warranty period. The project design should cater for scaling the number of RAs in case of a

requirement from Indian Navy.

Query: Please elaborate on the role of RA.

Below are few pointers clarification regarding role of RA:

Certificate request validation, request generation and personalization of token to users.

Can end clients, users, NW elements, request for certificate from their end system, automatically without going through RA.

Will RA be a single window process for certificate issuance and management using the work software?

It is amplified that RA will be located

at five locations as specified in the

RFP. It will be a single window

process for certificate issuance and

management.

70 Page 14, Point 13 (c), (d) Implement/ Configure CA software as required by CCA for carrying out CA role.

Deployment of two Online Subordinate CAs in cluster in primary site, which will issue and manage the certificates for various purposes. CAs will be built in cluster for

providing high availability within the same site and with similar configuration in DR site as well.

Query: CCA wiil be root CA for Indian Navy. Navy CA will be SubCA approved by CCA. Is the understanding correct, Please Confirm.

It is amplified that CCA should license

Indian Navy to function as CA.

71 Annexure I Technical Specification of HSM.

Query: Are end client/user keys to be generated in HSM?

It is amplified that end client/ user

keys to be generated in USB dongle/

token or as per CCA guidelines/ Best

practices.

72 Annexure I Technical Specification of USB Token/dongle

Query: Specification does not mention key pair generation. Is there no requirement for need for key pair generation in token, Please confirm.

It is clarified that the generation of

Keys is to be done in USB

dongle/token or as per CCA

guidelines/ Best practices.

73 Annexure II Technical Specification of CA Software

Query: Is request and renewal over SCEP from end clients is allowed. Please Confirm.

It is clarified that request and renewal

over SCEP from end clients is

allowed.

74 Page 7, Point 15 EMD is not required to be submitted by those Bidders who are registered with the Central Purchase Organization (e.g. DGS&D), National Small Industries Corporation

(NSIC) or any Department of MoD or MoD itself.

Query: BEL is a DPSU registered with DGS&D for Radios. However, as per recent notification No: DGS&D/P&C/Green Channel/240/Amendment No 64/143 dtd

14.06.2017 DGS&D registration for all companies stand cancelled from 1st Jul 17. Should the EMD be submitted.

M/s BEL being part of MoD need not

submit the EMD.

75 Page 13, Point 10(e) A resident engineer will be positioned by the successful bidder during all phases of support. The qualification and duties of the resident engineer is placed at para 1(a)

of Annexure III. Further, the bidder will deploy Support Engineers for handling hardware defects and for deployed software on as required basis within 24 hours of

complaint being registered with the bidder.

It is amplified that a single resident

engineer is required to be positioned

at Delhi DC. Para 10(e), Part II of

16

Query: In how many locations is the resident engineer to be positioned? RFP refers.

76 Page 27, Point 1 The Bidder will be required to furnish a Performance Guarantee by way of Bank Guarantee through a public sector bank or a private sector bank authorized to conduct

government business (ICICI Bank Ltd., Axis Bank Ltd or HDFC Bank Ltd.) for a sum equal to 10% of the contract value within 30 days of signing of this contract.

Performance Bank Guarantee will be valid up to 60 days beyond the date of warranty/services (as applicable). The specimen of PBG is given in DPM-09, (Available in

MoD website and can be provided on request).

Query: As BEL is a DPSU, Can PBG be issued in the form of Indemnity Bond.

BEL has been submitting PBG in the

past contracts. Further, clarification if

any may be sought by BEL from

MoD. Hence, as per RFP.

M/s N-Code Solutions Pvt. Ltd.

77 Page 47, Point (B) (8) It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.

Query: It should be possible to run any number of CAs in any hierarchy under VM environment. The CAs should possibly have different CA policies.

It is clarified that, it should be possible

to run any number of CAs in any

hierarchy in a virtualised environment.

78 Page 11, Point 7(b) (VII) DR synchronization

Query: Bandwidth connectivity to be provision by SI or Bidder.

The setup will be deployed in Indian

Navy’s intranet. Hence, it is clarified

that bandwidth would be provided by

Indian Navy.

79 Page 9, Point 6(a) The licensing model of the OEM should be server based and should be for unlimited client licenses.

Query: Licensing policy very vendor to vendor, numbers of license gives idea of consumption and resources provisioning.

It is clarified that the certificates

generated is only for non-commercial

purposes and for use by Indian Naval

personnel.

80 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Document, CA Identity Manager and Necessary Client licenses. The bidder may use

he same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA.

Query: More detail needed of existing CA workflow in order to integrate our custom application.


81 Page 47, Point (B) 10 The CA should be able to publish CRLs and certificates in any number of distribution points using LDAP/HTTPS protocol. The publication address must be

configurable for each CA.

Query: Availability of webserver to publish CRL through http/https protocol.

The webserver will be provided by

Indian Navy to publish CRL through

http/https protocol.

82 Additional point Query: Tape drive and disk backup not consider in hardware and backup software not included since offsite backup as per IT Act, hope it is available. Existing adequate backup

infrastructure is available with Indian

Navy and the same can be utilized by

the bidder.

83 Additional point Query: Teleclock not included in IT Infra, its key factor and IT Act requirement to sync time of with NPL India. Indian Navy will endeavor to provide

GPS Clock

M/s Technology Nexus Secured Business Solutions

84 Page 9, Point 6 No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by the successful bidder, the same will be provisioned by Indian Navy. Query: Request to specify the available OS & DB version with Navy. Also as part of the hardware requirement mentioned in project, Rack servers are to be provided by the bidder. Pls clarify is requisite OS & DB licenses would be provided by Navy?

The following software’s are available

with Indian Navy:-

(a) Server OS - Windows Server

2008 R2/ 2012 and 2012 R2 (Std and

DataCenter)

(b) Database – MS SQL 2012 STD/

Enterprise

85 Page 9, Point 6 (b) The bidder may use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software). Query: there are no workflow approvals specified by CCA. this is to be decided by Navy. Also, CA system may have its own approval process which can be integrated with AD & may not require share point. e-form integration workflow need to be elaborated.


17

86 Page 37 SI Pre-qualification Criteria Query: In case, the bidder is an existing CCA certified CAs the above clauses are not applicable (Suitable proof to be submitted) Query: In recent government bids for PKI/CA projects: the government has specifically put up a conflict of interest clause: The bidder should not be a CA licensed by the CCA for providing CA operations in India. Bidder should not have conflict of interest, or potential conflict of interest; or any incident that materially and adversely affects the government Certification Authority's operations We request Navy to consider this.

It is clarified that the current project is

only for usage by Indian Navy and its

personnel. So the likelihood for

conflict of interest does not exist.

Hence, as per RFP

87 Page 37 Prime Bidder individually or jointly with Consortium partners should have experience of having successfully associated with a PKI project or a ensign project during last 5 years ending last day of month previous to the one in which bids are invited. Query: there haven’t been any recent RFPs for licensed PKI CA projects being executed by the prime bidders. Most of the enterprise/licensed CA are directly executed by OEMs We request Navy to change the clause for considering OEM credentials: Prime Bidder individually / CA software OEM should have experience of having successfully associated with a PKI project or a esign project during last 5 years ending last day of month previous to the one in which bids are invited. Prime Bidder & CA Software OEM can submit a teaming agreement to Navy for scope of work and obligations at the contract stage.

As per RFP

M/s Inspira Pvt. Ltd.

88 Page 13, Point 10 Warranty start date is defined as the date when CCA would certify Indian Navy certification to function as CA. Warranty period for all hardware components and

software licenses shall be deemed to commence from the date of sign-off. Warranty for all hardware components shall commence on the day of Project Sign-off and

shall last.

Query: We understand you require 2 years warranty and 2 years AMC cost separately. Please confirm by default warranty will be required with items which are in

BOQ

Warranty shall commence on the day of Project Sign-off and shall last for Two years. During this period, support for all project components like Hardware supplied, software developed / customised / configured for the project, physical installations of infrastructure setup as part of this project, update of help content etc. shall be covered. It is clarified that level of services for warranty, AMC and optional additional AMC is same. On completion of warranty, AMC will commence. Post which IN may enter a contract for optional additional AMC with the successful bidder as per previously negotiated prices/rates. Para 10 of part II of RFP refers.

89 Page 18, Point 23 Payment Terms

Query: We have a suggestion for the 80% on the delivery, inspection and Detail Project report submission and 20% on the project Signoff.

As per RFP

90 Page 12, Point 9 Training

Query: We understand, we need to provide 2 trainings each year and it is for the certifications also.

It is clarified as per para 9 of part II of RFP that the training would consist of the following:-

(a) Bidder would organize training of 20 Officers and 30 Sailors on various aspects of Information Security, public key infrastructure and licensing of CA operations. (b) Additional certificate courses to be conducted/ provided by SI with one time certification fees at SI’s cost: -

(i) CISA (certification for 05 Students)

(ii) CISSP (certification for 05 Students)

18

91 Page 12, Point 9 Training

Query: We understand, For CISA and CISSP certification, we will provide single attempt for no of officers mentions.

This point needs to be read in

conjunction to the clarification offered

at point 90 above. It is clarified that

the bidder will pay one time exam fee

for CISSP and CISA exam for

personnel nominated by Indian Navy.

92 Query: Bank Guarantee mode of EMD Submission can also be added. Bank guarantee mode of EMD

submission is available. Para 15 part I

of RFP is relevant.

93 Page 13, Point 10 (F) Support Manpower

Query: Please confirm for Resident Engineer and support engineers nos and both will deploy on one location or multi locations.

It is amplified that a single resident

engineer is required to be positioned

at Delhi DC. Para 10(e), Part II of

RFP refers.

94 Page 38, Point 9 PQ Criteria

Query: Suggest - IT project of 10 Crs order or 2 orders of 5 Crs each.

As per RFP

M/s Em Signer

95 Page 9 Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may

use the same to envision and develop custom work flows.

Query: Whether we can have a workflow system complaint with CCA guidelines without using the specific softwares mentioned in this point of RFP.

Clarification as per serial 56.

96 Page 49 The CA security architecture must underlie a successful security evaluation like Common Criteria

Query: Request also to add successful or under security evaluation.

The requirement of evaluation is from

an assurance perspective. Hence, it

is clarified that the proposed CA

application should have undergone a

successful evaluation or under

security evaluation like Common

Criteria

97 Query: Whether shall the bidder or any other 3rd party CA solution compliant with CCA It is clarified that the proposed CA

solution should have been

implemented and running live in one

of the CAs globally or the solution

should have been implemented in

India under the certification of root CA

of India.

M/s C-DAC

98 Page 9, Point 6 (b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC 2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may

use the same to envision and develop custom work flows. The workflow application should include provisions

for level of approvals required as per CCA,

Query: Please specify what workflows are envisioned as part of this solution on the domain, as all admin functionality is in protected network of PKI components only.

Justification: CA software should have the workflow configuration feature embedded with the solution.


99 Page 10, Point 7 (a) On implementation/configuration of the CA server, it has to be integrated with existing IT infrastructure of Indian Navy. The bidder will integrate the PKI setup with It is clarified that PKI will be

19

Active Directory, MS Exchange Server, SCCM, SCOM to the extent feasible for leveraging PKI infrastructure.

Query: PKI setup will be integrated with LDAP. All certificate usage has to be by applications integrating with the LDAP (AD in this case). It is not clear if the PKI setup

is to integrate separately with each application on the network. Neither is this advisable.

Justification: PKI being an authentication mechanism will be part of the LDAP

integrated with existing Active

Directory for authentication purposes.

The integration with other applications

like MS Exchange Server, SCCM and

SCOM is to be undertaken to the

extent feasible.

100 Page 10, Point 7 (a) On implementation/configuration of the CA server, it has to be integrated with existing IT infrastructure of Indian Navy. The bidder will integrate the PKI setup with

Active Directory, MS Exchange Server, SCCM, SCOM to the extent feasible for leveraging PKI infrastructure

Query: All management components of the PKI servers will be included with the setup. No usage of SCOM/SCCM for these servers is envisaged.

Justification: Management of Linux based PKI servers will be part of the protected network.

The clause is being retained as per

RFP.

101 Page 10,

Point 7(a)(iii)

Implement Active Directory based two-factor authentication only to each CA server (maximum 04 servers)

Query: (a) CA server will not be on direct network to AD (b) 2FA can consist of a password/pin and a token

Justification: CA server has to be air gapped

It is clarified that CA Server is in

Navy’s Network, segregated by

implementing zones. The existing

Active Directory has to be configured

for two-factor authentication.

102 Page 47, Point B (8) It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.

Query: Kindly Clarify

Justification: Different CAs have to be recognized by domain. E.g. your domain recognizes Symantec , Verizon etc.


RFP.

103 Page 47, Point B (9) It should be possible to assign registration officers to individual CAs or user domains and visibility/usability of user data should be limited to assigned CA or user

Domain.

Query: Kindly Clarify.

t is clarified that certificate issuance requests from work flow software should be catered. The work flow software should leverage/ integrate with the IDAM(OEM CA) of

Indian Navy for credentials of the persons requesting the certificate. The designed workflow should comply to CCA guidelines on issuance of different class of

certificates. The applications that can be used for work flow and available with Indian Navy has been mentioned in the RFP. The bidder may use the applications and

the licenses for same will be provided by Indian Navy. The bidder is free to use any other application in case if he desires to. Further, in case of a CA product having

an inbuilt workflow the same is also acceptable to Indian Navy.Justification: Different CAs have to be recognized by domain. E.g. your domain recognizes Symantec

, Verizon etc

It is clarified that user domain means

organizational units of Active

Directory.

104 Page 47,

Point B (13)

End entity certification according to individual policies.

Query: Please Clarify.

Justification: Certificates are issued as per standard formats for signature, SSL etc.

It is clarified that certificates are to be

issued as per standard formats.

105 Page 48,

Point C (21)

CA key management, Root-CA and Sub-CA certification, CA policy management: It should be possible to manage any number of CAs in any hierarchy in the same

system. The CAs should possibly have different CA policies

Query: Please Clarify

Justification: CA is air gapped. Then a console that can manage CA cannot speak to Sub CAs.

It is clarified that, it should be possible

to run any number of CAs in a

hierarchy in a virtualised environment.

106 Page 48,

Point C (24)

Cross certification should be supported in both directions: internal CA to certify external CA and vice versa in PKCS#10 procedures.

Query: Please Clarify

Justification: CAs are inherently self-signed authorities who act as root of trust. Hence they are not "certified" by anybody. If a sub CA, then you can have a sub CA

certified by external entity (e.g. NIC CA) but vice versa not possible/required.


RFP.

107 Page 49, All relevant user actions (e.g. registration, certification, revocation etc.) should be logged in a digitally signed revision safe audit trail (transaction log), which is audit-

able. Relevant actions require commitment signatures of the user(s). Critical actions (e.g. CA management) require commitment signatures of more than one officer.


RFP.

20

Point E (37) Query: Please add WORM device(s) in BOQ.

Justification: WORM device required.

108 Page 50,

Point G (46)

Support for different certificate profiles based on X.509 Public Key Certificates, Attribute Certificates, Card Verifiable Certificates (CVC) (e.g. e-Passports), Tachograph

Certificates, Wireless TLS (WTLS) Certificates in conformance with the Wireless PKI (WPKI) Specifications.

Query: It is requested that non-applicable certificates (e.g. Tachograph certificates) are removed and the list be explicitly rationalised.

Justification: All standard CA certificate profiles will be used.

It is clarified that tachograph

certificates are optional feature.

Digitech Electronic Systems Pvt. Ltd.

109 Storage of key values should be more than 2000

Query:

As point no. 14 says keys should secured and not stored, as per CCA guidelines. Same should be reflected in this point.

The point needs to be read in

clarification at point No 52. Hence, as

per RFP.

110 8. Software Upgrade The offline upgrade through web service is preferred.

Query:

It must be offline upgrade or Web services

It is clarified that the intranet of Indian

Navy is air gapped from internet.

Hence, the upgrades should be in

offline manner through web services.

111 24 and 25. Operating

Temperature and

Storage Temperature Operating – (0 to 35) Storage – (10 to 30)

Query:

Generally storage temperature range is higher than operating. All HSMs generally support operating temperature 10-35. Hence this seems like a typo error

The typo error is regretted. It is clarified that the specified temperatures are as follows:- Storage – (0 to 35) Operating – (10 to 30)