Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
MINUTES OF MEETING OF PRE-BID MEETING HELD ON 05 JUL 17 PROCUREMENT AND SETTING UP OF PUBLIC KEY INFRASTRUCTURE (PKI) -
INDIAN NAVY
1. The Pre-bid meeting for the instant case was chaired by Cmde Sameer Agarwal, Addl PDIT, was held at NHQ Conference Hall, Sena Bhawan at 1500 hrs on 05 Jul 17. Cdr Piyush Baranwal, JDIT were also present in addition.
2. Reps from following firms had attended the meeting:-
(a) M/s Amtrak Systems Pvt. Ltd (b) M/s C-DAC (c) M/s Deloitte India Pvt. Ltd (d) M/s Entrust Datacard Pvt Ltd (e) M/s Gemalto Pvt. Ltd.M/s I-Value Pvt. Ltd (f) M/s I-Value Pvt. Ltd (g) M/s Tech Mahindra Pvt. Ltd (h) M/s BEL (i) M/s N-Code Solutions Pvt. Ltd (j) M/s Technology Nexus Secured Business Solutions (k) M/s Inspira Pvt. Ltd (l) M/s Em Signer (m) M/s BECIL (n) M/s Microsoft (o) M/s KNM Associates (p) M/s Logix Net Soln Pvt Ltd (q) M/s Futuresoft Solutions Pvt Ltd (r) M/s MROTEK (s) M/s E-Mudhra Ltd (t) M/s Source Dot Com Pvt Ltd (u) M/s PC Solutions (v) M/s Krypto Agile
3. At the outset the Chairman welcomed everyone present and thanked everyone for the enthusiastic participation. To begin with the proceedings of the meeting, the Chairman clarified the following points:-
(a) At this juncture, all queries related to technical issues, bill of material and allied terms & conditions would be discussed/ clarified. (b) No changes in RFP that carry any additional financial implication would be advisable and feasible at this stage. (c) The terms & conditions mentioned at Part-III and Part-IV of RFP are standards terms & conditions required as part of Defence Procurement Manual (DPM) – 2009 and are non-negotiable. (d) Necessary product certification details sought as part of this RFP are to be provided as the project pertains to security of networks.
2
(e) Bids to be prepared meticulously and no overwriting and errors in calculations are permissible. (f) Calculation of taxes is to be done as per extant regulations.
4. Thereafter, JDIT read out the cardinal timelines of the RFP that had to be adhered by all bidders. JDIT also amplified the timelines to be followed for the RFP process. The queries/ points that were raised by the prospective bidders in their correspondences to the steering directorate were discussed. The summary of discussions and decisions/ clarifications have been placed at Appendix A of this document. 5. To conclude, the Chairman thanked all the representatives for participation and further emphasized that, suggestions for change in specifications, qualification criteria and any other change that would carry additional financial implication is not possible at this stage. The clarifications discussed during the meeting would be published as MoM of the Pre-bid meeting as corrigendum to RFP at both websites www.eprocure.in, www.tenders.gov.in and www.indiannavy.nic.in. 6. There being no further points, the meeting was closed. These minutes of meeting has the approval of competent authority.
Sdxx (Piyush Baranwal) Commander JDIT 14 Jul 17 File No:- PC-15-IT/0622/04
3
Appendix A (refers to para 4)
PRE-BID QUERY – CLARIFICATIONS
Ser. RFP Ref Vender Queries Reply from Indian Navy
M/s Amtrak Systems Pvt. Ltd. , M/s C-DAC
1 Page 40, Point 2 Server to be populated with minimum 128 GB DDR4 Memory or higher 2400MT/s RDIMMs expandable Up to 384GB.
Query: Kindly upgrade the memory from 384 to 768 GB.
Justification: Server to be populated with minimum 128 GB DDR4 Memory or higher 2400MT/s RDIMMs expandable Up to 768 GB.
As per RFP
2 Page 40, Point 7 Four10 GBE ports on minimum two cards Query: Kindly specify cards. Justification: Please specify 10G Base T or SFP+.
It is clarified that Four 10 GBE ports
(SFP+) on minimum two cards to be
provided
3 Page 40, Point 8 Each Rack Server should be configured with two quantities of 8/16 Gbps FC Ports with transceivers. FCoE ports may be also provided in a different configuration as long as overall connectivity requirements are satisfied. Query: Kindly delete FCOE as it is specific to ONE OEM. Justification: FCoE will not surface the requirement of FC. Request you to please delete. "Please specify 10G Base T or SFP+FCoE ports may be also provided in a different configuration as long as overall connectivity requirements are satisfied."
Open Source information indicates
that FCOE is not OEM specific.
However, for connectivity
requirements, it is clarified 10G Base
T/ SFP/ FCoE ports may be also
provided in a different configuration
as long as overall connectivity
requirements are satisfied.
4 Page 40, Point 11 SIs should provide embedded features that helps to manage Servers in physical, local and remote environments, operating in-band or out-of-band, with or without a systems management software agent. Query: Please change SI to OEM. Justification: It is should be OEM not SIs should provide embedded features that helps to manage Servers in physical, local and remote environments, operating in-band or out-of-band, with or without a systems management software agent.
It is clarified that OEM/ SIs should
provide embedded features that helps
to manage Servers in physical, local
and remote environments, operating
in-band or out-of-band, with or without
a systems management software
agent
5 Page 41, Point 13 The server should be able to alert impending failures on maximum number of components. The components covered under alerting mechanism should at least include Processors, memory, PCIe slots, VRMs, power supplies, fans, hard disk drives. Query: Please delete PCIe slot, VRM, Power supplies and FANS. Justification: Please get the same changed to The server should be able to alert impending failures on maximum number of components. The components covered under alerting mechanism should at least include Processors, memory, hard disk drives.
As per RFP
6 Page 41, Point 16 Smart Embedded Systems Management should be able to automate task like discovery deploy monitor and update. Query: Kindly Remove Smart as it is specific to one OEM. Justification: Embedded Systems Management should be able to automate task like discovery deploy monitor and update.
Open source information and
discussions during Pre-bid
conference indicates ‘Smart’ is not
specific to OEM. Further, if the
hardware provides the desired
functionalities the same is acceptable.
Hence, as per RFP.
7 Page 42, Point 9 Cooling : Should have inbuilt Rack cooling of capacity of 3 Ton or more
UPS Capacity: Should be supplied with Min 12 KVA rack-mounted UPS with Minimum backup 20 Min backup at full load. SMF Batteries
Intelligent Rack PDU
LCD TRAY with populated LCD / LED Screen
Keyboard / Mouse to be supplied in a Keyboard Tray. Compatible with the supplied KVM Switch Query: Please clarify that Cooling system is required with redundancy. Please clarify that UPS system is required with redundancy.
It is clarified that no redundancy is
required. Hence, as per RFP.
4
M/s Deloitte India Pvt. Ltd.
8 Page 8, Point 3(a) Two sites – Primary site and DR Site with exactly same configuration.\
Query: We request you to confirm whether the Hardware quantity for DR is the same as that of the Primary site.
It is clarified that the hardware and
software at both locations is identical.
9 Page 9, Point 6(a) (viii) Verification of historical signatures
Query: We request you to elaborate on “Verification of historical signatures”.
The requirement of verification of
historical signatures is required for
corroboration of signatures on
documents. It is envisaged that the
same may be required for regulatory,
forensic and audit purposes.
10 Page 11, Point 7(b) (v) Interaction with CCA for registering Indian Navy as CA which includes the creation and validation of all the required documents like CPS, agreements, contracts and
other documentation including Liaison with the CCA, GoI and other Agencies. Towards this application fee and miscellaneous expenditure is to be borne by the
bidder.
Query: We would like to mention that while the bidder shall bear the Application fee and other expenses, the Bank Guarantee of INR 50 Lakhs should be borne by the
Indian Navy. Hence, we request you to modify the clause as follows:
Interaction with CCA for registering Indian Navy as CA which includes the creation and validation of all the required documents like CPS, agreements, contracts and
other documentation including Liaison with the CCA, GoI and other Agencies. Towards this application fee and miscellaneous expenditure is to be borne by the
bidder. Bank Guarantee required, if any, in this process will be borne by the Navy.
It is clarified that application fee and
miscellaneous expenditure is to be
borne by the bidder. Bank Guarantee
if required, in this process will be
borne by the Navy.
11 Page 12, Point 8 (d) All required audits by CCA shall be presented by SI, including third party audit, and audit by STQC till certifications by CCA.
Query: We request you to provide the purpose and scope of the STQC audits.
It is understood from CCA, that prior
CCA undertaking audit, it may direct
STQC to audit the premises. It is for
this reason that STQC audit has been
included in the scope.
12 Page 12, Point 9 Following additional certificate courses to be conducted/ provided by SI with certification at SI’s cost
Query: We request you to modify the clause as follows:
Following additional certificate courses to be conducted/ provided by SI with certification at SI’s cost (SI to pay the exam fee only once)
It is clarified that the SI has to bear
the examination fee only once.
13 Page 13, Point 10(b) Warranty
Query: We request you to elaborate on the warranty of PKI tokens.
It is clarified that warranty of the
tokens is only for one year from the
date of supply (part II para 5 of RFP
refers).
14 Page 13, Point 10(c) (d) AMC, Optional Additional AMC
Query: We request you to clarify whether "AMC" and "Optional Additional AMC" are for the same duration i.e., post completion of warranty or "Optional Additional
AMC" will commence after the warranty.
It is clarified that level of services for
warranty, AMC and optional
additional AMC is same. On
completion of warranty, AMC will
commence. Thereafter, Indian Navy
may enter into a contract for
additional AMC with the successful
bidder based on the negotiated price.
This contract for additional AMC may
be drawn within three months post
expiry of the AMC contract at the sole
discretion of Indian Navy.
15 Page 14, Point 13 (d) Deployment of two Online Subordinate CAs in cluster in primary site, which will issue and manage the certificates for various purposes. CAs will be built in cluster for
providing high availability within the same site and with similar configuration in DR site as well.
Query: We request you to clarify if we can propose a better architecture or the architecture is pre-decided?
It is clarified that two CAs in cluster in
primary site, which will issue and
manage the certificates for various
purposes. CAs will be built in cluster
5
e.g., As all CAs will be implemented on VMs, we recommend that HA to be managed via hypervisor. We also recommend that the CA instances should be clustered
between DC and DR, instead of two instances at each location.
Also, two CA instances can be used for different purposes like issuance of device certs from one CA and user certs from another.
for providing high availability within
the same site and with similar
configuration in DR site as well. In
case, if the bidder proposes a better
architecture without any additional
cost implications the same can be
considered post concurrence.
16 Page 15, Point 13 (h) Certificate enrolment mechanisms using Auto Enrollment, Web Enrolment pages and Network Device Enrolment Services (NDES, the SCEP-compatible service). Two
dedicated Web servers will be deployed to host the Web Enrolment and NDES services.
Query: We request you to clarify if both servers will have both services i.e., NDES and Web Enrollment or one service each?
Also, request you to clarify if SI needs to supply these dedicated Web Servers for Web enrolment & NDES services or Navy will be providing the same.
The bidder is to make every effort to
utilize the hardware supplied within
the scope of the RFP. Additional,
hardware if required separately for
enrolment purposes will be provided
by Indian Navy
17 Page 15, Point 13 (i) Segment PKI systems of Indian Navy into networks or zones based on their functional, logical, and physical (including location) relationship.
Query: We would like to mention that, as best practices, zones should have different CA Servers. With only two CA Instances, inter-zone traffic have to be allowed.
It is amplified that the requirements to
create Zones have been indicated
from security perspective. Indian
Navy will provide the necessary
hardware for undertaking zoning,
however the configuration have to be
undertaken by the bidder.
18 Page 15, Point 13 (o) Provision for automatic generation of all reports, as required by CCA, should be made in software. Number of reports shall be up to 5 or as per CCA requirements
whichever is more.
Query: We request you to elaborate on the scope to be covered in these reports.
As per discussions with CCA certain
reports/ returns are be sent to CCA.
In anticipation, five reports have been
asked in scope.
19 Page 16, Point 17 The Navy will be responsible for providing all relevant documents and data related to Indian Navy’s organizational, functional and other procedures as may be relevant
for design and development of the PKI solution and can be made available as required in accordance with the project plan. Access to designated sites/ establishments
of Navy would be provided. Indian Navy will nominate a nodal Officer who will be the point of contact for all services.
Query: We request you to modify the clause as follows:
The Navy will be responsible for providing all relevant documents and data related to Indian Navy’s organizational, functional and other procedures as may be relevant
for design and development of the PKI solution and can be made available as required in accordance with the project plan. Access to designated sites/ establishments
of Navy would be provided. Indian Navy will nominate a nodal Officer who will be the point of contact for all services.
(i) The Navy is responsible for determining that the scope of the Services is appropriate for its needs.
(ii) The Navy shall cooperate with the firm in the performance of the Services, including, without limitation, providing reasonable facilities and timely access to data,
information and personnel of the Navy. The Navy shall be responsible for the performance of its personnel and agents, for the timeliness, accuracy and completeness
of all data and information (including all financial information and statements) provided to Navy by or on behalf of the Navy and for the implementation of any advice
provided as part of the Services. The firm may use and rely on information and data furnished by the Navy or others without audit or verification. The firm’s
performance shall be dependent upon the timely performance of the Navy’s responsibilities under the Contract and timely decis ions and approvals of the Navy in
connection with the Services. The firm shall be entitled to rely on all decisions and approvals of the Navy.
(iii) Except as otherwise provided in the contract, the Navy shall be solely responsible for, among other things: (A) making all management decisions and performing
all management functions; (B) designating one or more individuals who possess suitable skill, knowledge, and/or experience, preferably within senior management to
oversee the Services; (C) evaluating the adequacy and results of the Services; (D) accepting responsibility for the results of the Services; and (E) establishing and
maintaining internal controls, including, without limitation, monitoring ongoing activities.
(iv) Unless the contract specifies other arrangements, the Navy agrees that any Deliverables will be deemed accepted by the Navy (and the Services, or the relevant
part of them complete) within 10 days of their delivery, upon their delivery in their final form or when the Navy first makes use of them in its business, whichever comes
It is clarified that the same cannot be
included at this stage. Hence, as per
RFP.
6
first.
20 Page 17, Point 18 (n) The data provided to the SIs towards development of the project would need to be utilised in Naval premises only and would in no case be allowed to be taken out of
naval premises in any form including electronic / digital form. In addition, the SIs must maintain necessary secrecy and confidentiality of the data provide by the Navy
during the process of execution of the project. All the personnel deputed by the SIs for the project would deem to be under Official Secrets Act. In addition, the SIs is
required to sign a Non-Disclosure Agreement with Navy regarding the use of data related to project.
Query: We request you to clarify if Navy would be providing laptop / desktop with OS & Office tools for the project as the vendor isn’t allowed to bring the IT
equipment.
It is clarified that IN would be
providing laptop / desktop with OS &
Office tools for the project as the
vendor isn’t allowed to bring the IT
equipment.
21 Page 18, Point 24 Payment Stages
Query: Generally, the payment for the Hardware and Software are linked to the supply & commissioning. Hence, we request if the payment for the Hardware &
Software can be made within 60 days of the commissioning of the same. The payment for the services can follow the stages mentioned in your RFP.
(a) BIDDER’s invoices are due and payable by the Bank upon presentation. For invoices upon which payment is not received within thirty (30) days of the invoice date,
BIDDER reserves the right to charge 1% per month simple interest. Without limiting its other rights or remedies, BIDDER shall have the right to suspend or terminate
the Services entirely or in part if payment is not received within thirty (30) days of the invoice date. The Bank shall be responsible for all taxes, such as VAT, sales and
use tax, gross receipts tax, withholding tax, and any similar tax, imposed on or in connection with the Services, other than BIDDER’s income and property taxes.
(b) Any estimate of the fees involved in the Services will be based upon BIDDER's assessment of the work involved, taking account of any assumptions set out in the
Engagement Letter. Unless BIDDER has agreed otherwise in the Engagement Letter, BIDDER's fees may be adjusted, for example, if the Services prove more
complex or time consuming than expected.
As per RFP
22 Page 20 ESSENTIAL DETAILS OF ITEMS/ SERVICES REQUIRED
Query: Request you to add the following clause:
Confidentiality
(a) To the extent that, in connection with this Contract, either CONTRACTOR or the NAVY (the “receiving party”) comes into possession of any information, trade
secrets or other proprietary information relating to the other (the “disclosing party”) which is designated in writing by the disclosing party as ‘Confidential Information’
(the “Confidential Information”), it shall not disclose such Confidential Information to any third party without the disclosing party’s consent except to the NAVY’s or
CONTRACTOR’s legal advisors solely for the purpose of obtaining legal advice, or as may be required by law, regulation, judicial or administrative process, or to the
extent that such Confidential Information (A) shall have otherwise become publicly available (including, without limitation, any information filed with any governmental
agency and available to the public) other than as the result of a disclosure by the receiving party in breach hereof, (B) becomes available to the receiving party on a
non-confidential basis from a source other than the disclosing party which the receiving party believes is not prohibited from disclosing such information to it by
obligation to the disclosing party, (C) is known by the receiving party prior to its receipt from the disclosing party without any obligation of confidentiality with respect
thereto or (D) is developed by the receiving party independently of any disclosures made by the disclosing party to the receiving party of such information. In
satisfying its obligations under this Paragraph 32(a), each party shall maintain the other’s Confidential Information in confidence using at least the same degree of care
as it employs in maintaining in confidence its own Confidential Information, but in no event less than a reasonable degree of care. The obligations imposed by this
clause 32 (a) shall survive the termination of this Contract for a period of one (1) year
(b) Disclosure by CONTRACTOR. The NAVY also consents to CONTRACTOR disclosing Confidential Information (i) to any Contractor Entity and to any
Subcontractors that have agreed to be bound by confidentiality obligations similar to those in this paragraph 32 and (ii) to its auditors, insurers or in accordance with
applicable professional standards, or in connection with potential litigation.
(c) In the performance of the Services, any Contractor Entity or any Subcontractor may communicate or discuss the affairs of the NAVY with the other advisers of the
NAVY and may do so free from any obligation of confidentiality.
(d) The NAVY acknowledges that CONTRACTOR, in connection with performing the Services, may develop or acquire general knowledge, experience, know-how,
skills and ideas that are retained in the memory of its personnel. Notwithstanding anything to the contrary herein, the NAVY acknowledges and agrees that
CONTRACTOR may use such general knowledge, experience, know-how, skills and ideas.
(e) Nothing contained herein will prevent or restrict any Contractor Entity, including CONTRACTOR, from providing services to other NAVYs (including services which
are the same or similar to the Services) even if those other NAVYs’ interests are in competition with the NAVY. To the extent that CONTRACTOR possesses
information obtained under an obligation of confidentiality to another NAVY or other third party, CONTRACTOR is not obliged to disclose such information to the
The Confidentiality and Non
Disclosure Agreement is to be guided
by Appendix A of RFP. Hence, as per
RFP.
7
NAVY, or use it for the benefit of the NAVY, however relevant it may be to the Services.
(f) In addition, the NAVY acknowledges and agrees that any such information that comes to the attention of CONTRACTOR in the course of performing this
engagement may be considered and used by any Contractor entity rendering accounting services in the context of responding to its professional obligations as the
independent accountants for the NAVY.
(g) The NAVY agrees to reimburse any costs any Contractor Entity or any Subcontractor may incur in complying with any legal, professional or regulatory disclosure
requirement relating to any of the Services imposed in any proceedings or regulatory process not involving any substantive claim or proceeding against any such
Contractor Entity or Subcontractor, provided the NAVY is notified promptly and, where reasonably or legally possible, prior to disclosure.
(h) Disclosure and use by NAVY. Notwithstanding Clause 32 (a) above, the NAVY shall not disclose to any third party the advice, opinions, reports or other work
product of CONTRACTOR provided hereunder without the express written consent of CONTRACTOR, except (i) where applicable laws, regulations, rules and
professional obligations prohibit limitations on disclosure, (ii) in the event that the NAVY or its affiliates have securities registered with the United States Securities and
Exchange Commission and any Contractor Entity is the auditor of the NAVY or any of its affiliates, in which case there are no restrictions or limitations on the
disclosure of CONTRACTOR’s advice, opinions, reports and other work product provided hereunder, or (iii) to the extent the Un ited States Internal Revenue Code and
applicable Internal Revenue Service guidance relating to confidential tax shelters (or comparable law or guidance from other taxing authorities) apply, in which case
there are no restrictions or limitations on the disclosure of CONTRACTOR’s advice, opinions, reports and other services. The NAVY shall use the advice, opinions,
reports or other work product of CONTRACTOR solely for the purposes specified in the engagement letter and, in particular, shall not, without the prior written consent
of CONTRACTOR, use any advice, opinion, report or other work product of CONTRACTOR in connection with business decisions of any third party or for
advertisement purposes. All Services are only intended for the benefit of the NAVY. The mere receipt of any advice, opinions, reports or other work product by any
other persons is not intended to create any duty of care, professional relationship or any present or future liability between those persons and CONTRACTOR. As a
consequence, if copies of any advice, opinions, reports or other work product (or any information derived therefrom) are provided to others under the above
exclusions, it is on the basis that CONTRACTOR owes no duty of care or liability to them, or any other persons who subsequently receive the same.
23 Page 20 ESSENTIAL DETAILS OF ITEMS/ SERVICES REQUIRED
Query: Request you to add the following clause:
Limitation of Liability
a. Nothing in this Contract shall exclude or restrict or prevent a Claim being brought in respect of:
(i) any liability finally judicially determined to arise primarily from the fraud or bad faith of any Deloitte Entity or any Subcontractor; or
(ii) any other liabilities which cannot lawfully be limited or excluded, save to the extent permitted by law.
b. The Company agrees that CONTRACTOR shall not be liable to the Company for any Losses for an aggregate amount in excess of the fees paid by the Company
to CONTRACTOR under the Contract.
c. In circumstances where the provisions of state contrary herein, are finally judicially determined to be unenforceable, no Deloitte Entity or Subcontractor shall be
liable to the Company for any Losses for an aggregate amount in excess of the fees paid under the Contract.
d. In no event shall any Deloitte Entity or Subcontractor be liable for any loss of use, contracts, data, goodwill, revenues or profits (whether or not deemed to
constitute direct Losses) or any consequential, special, indirect, incidental, punitive or exemplary loss, damage, or expense relating to this Contract or the Services.
e. In circumstances where all or any portion of the provisions of this paragraph 33 are finally judicially determined to be unenforceable, the aggregate liability of
CONTRACTOR and any other Deloitte Entity or Subcontractor for any Loss shall not exceed an amount which is proportional to their relative responsibility for the Loss
to which the Claim relates taking into account the contributory negligence (if any) of the claimant and the responsibility and/or liability of any third party.
f. CONTRACTOR will not be liable for Losses arising as a result of the provision of false, misleading or incomplete information or documentation or the withholding or
concealment or misrepresentation of information or documentation by any person other than a Deloitte Entity or a Subcontractor.
As per RFP
24 Page 20 ESSENTIAL DETAILS OF ITEMS/ SERVICES REQUIRED
Query: Request you to add the following clause:
Indemnification
The Navy shall indemnify and hold harmless selected bidder for all Losses incurred in connection with any third party Claim, except to the extent finally judicially
determined to have resulted primarily from the fraud or bad faith of selected bidder.
As per RFP
8
25 Page 20 ESSENTIAL DETAILS OF ITEMS/ SERVICES REQUIRED
Query: Request you to add the following clause:
Ownership of BIDDER Property & Work Products
On payment of all of BIDDER’s fees in connection with this Contract, the Company shall obtain a non-exclusive license to use within its internal business, subject to
the other provisions of this Contract, any Deliverables or work product for the purpose for which the Deliverables or work product were supplied. BIDDER retains all
rights in the Deliverables and work product, and in any software, materials, know-how and/or methodologies that BIDDER may use or develop in connection with this
Contract.
As per RFP
26 Page 22, Point 6 In case it is found to the satisfaction of the Buyer that the Seller has engaged an Agent or paid commission or influenced any person to obtain the contract as
described in clauses relating to Agents/Agency Commission and penalty for use of undue influence, the Seller, on a specific request of the Buyer, shall provide
necessary information/ inspection of the relevant financial documents/information.
Query: Request you to modify the clause as follows:
In case it is found and adjudged by the Appellant Court to the satisfaction of the Buyer that the Seller has engaged an Agent or paid commission or influenced any
person to obtain the contract as described in clauses relating to Agents/Agency Commission and penalty for use of undue influence, the Seller, on a specific request of
the Buyer, shall provide necessary information/ inspection of the relevant supporting documents / information and invoices pertaining to services
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
27 Page 22, Point 8 In the event of the Seller’s failure to submit the Bonds, Guarantees and Documents, supply the stores/goods and conduct trials, installation of equipment, training, etc.
as specified in this contract, the Buyer may, at his discretion, withhold any payment until the completion of the contract. The BUYER may also deduct from the
SELLER as agreed, liquidated damages to the sum of 0.5% of the contract price of the delayed/undelivered stores/services mentioned above for every week of delay
or part of a week (beyond the contracted delivery period), subject to the maximum value of the Liquidated Damages being not higher than 10% of the value of delayed
stores/services.
Query: Request you to modify the clause as follows:
In the event of the Seller’s failure to submit the Bonds, Guarantees and Documents, supply the stores/goods and conduct trials, installation of equipment, training, etc.
as specified in this contract, the Buyer may, at his discretion, withhold any payment until the completion of the contract. The BUYER may also deduct from the
SELLER as agreed, liquidated damages to the sum of 0.5% of the contract price of the balance services mentioned above for every week of delay or part of a week
(beyond the contracted delivery period), subject to the maximum value of the Liquidated Damages being not higher than 10% of the value of delayed stores/services.
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
28 Page 23, Point 9 (d) The Buyer has noticed that the Seller has utilised the services of any Indian/Foreign agent in getting this contract and paid any commission to such
individual/company etc.
(e) As per decision of the Arbitration Tribunal.
Query: Request you to modify the clause as follows:
(d) The Buyer has noticed that the Seller has utilised the services of any Indian/Foreign agent in getting this contract and paid any commission to such
individual/company
(e) As per decision of the Arbitration Tribunal.
Unless terminated sooner in accordance with its terms, this Contract shall terminate once the Services have been performed. This Contract may be terminated by
BIDDER at any time, with or without cause, by giving written notice to the other party not less than thirty (30) days before the effective date of termination, provided
that, in the event of a termination for cause, the breaching party shall have the right to cure the breach within the notice period. BIDDER may terminate this Contract
with immediate effect upon written notice to the Client if BIDDER determines that (a) a governmental, regulatory, or professional entity, or an entity having the force of
law, has introduced a new, or modified an existing, law, rule, regulation, interpretation, or decision, the result of which would render BIDDER’s performance of any part
of the Contract illegal or otherwise unlawful or in conflict with independence or professional rules, or (b) circumstances change (including, without limitation, changes in
ownership of the Client or any of its Affiliates) such that BIDDER’s performance of any part of the Contract would be illegal or otherwise unlawful or in conflict with
independence or professional rules. Upon termination of the Contract, the Client will compensate BIDDER under the terms of the Engagement Letter for the Services
performed and expenses incurred through the effective date of termination.
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
29 Page 23, Point 12 The prices stated in the present Contract shall be deemed to include all amounts payable for the use of patents, copyrights, registered charges, trademarks and
payments for any other industrial property rights. The Seller shall indemnify the Buyer against all claims from a third party at any time on account of the infringement of
any or all the rights mentioned in the previous paragraphs, whether such claims arise in respect of manufacture or use. The Seller shall be responsible for the
completion of the supplies including spares, tools, technical literature and training aggregates irrespective of the fact of infringement of the supplies, irrespective of the
fact of infringement of any or all the rights mentioned above.
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
9
Query: Request you to modify the clause as follows:
The prices stated in the present Contract shall be deemed to include all amounts payable for the use of patents, copyrights, registered charges, trademarks and
payments for any other industrial property rights. The Seller shall indemnify the Buyer against all claims from a third party at any time on account of the infringement of
any or all the rights mentioned in the previous paragraphs, whether such claims arise in respect of manufacture or use. The Seller shall be responsible for the
completion of the supplies including spares, tools, technical literature and training aggregates irrespective of the fact of infringement of the supplies, irrespective of the
fact of infringement of any or all the rights mentioned above.
Provided that this indemnity shall not apply in the following cases: (a) the modification of the Consultant’s deliverables provided under its services by any person other
than the Consultant or its personnel (b) Client’s failure to use any modification to the Consultant’s deliverables provided under its services made available by
Consultant where use of such modification would have avoided the infringement; (c) information, materials instructions or specifications that are themselves infringing
which are provided by or on behalf of the Client or which the Client requests or requires the Consultant to use; or (d) the use of the Consultant’s deliverables provided
under its services in a manner not agreed to hereunder; provided that the Client gives the Consultant written notice of any such claim and sole control over the
defense of any such claim.
cannot be changed. Hence, as per
RFP.
30 Part III Query: We would request you to consider our General Business Terms (GBT) at the time of signing the Contract Agreement.
We would request you to consider our System Testing Agreement (STA) for the VAPT services sought at the time of signing the Contract Agreement.
We would like to know if including our GBT and STA for your consideration with the Technical Bid is permitted.
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
31 Page 27, Point 2,3 Option Clause, Tolerance Clause
Query: We request you to provide more clarity and differentiate these two clauses
It is clarified that Tolerance clause is
exercised to take care of any change
in requirements upto 20% plus/minus
during the period starting from issue
of RFP till placement of the contract.
In case of an Option Clause, the
buyer can exercise an option to
procure 50% of the original
contracted services/ goods i.a.w the
same terms and conditions of the
contract. Option clause will be
applicable during the currency of
contract. Part IV para 2 and 3 of RFP
refers.
32 Page 29, Point 8(d) Any excess of the purchase price, cost of manufacturer, or value of any stores procured from any other supplier as the case may be, over the contract price
appropriate to such default or balance shall be recoverable from the SELLER. Such recoveries shall not exceed 10% of the value of the contract.”
Query: The navy has remedy for termination and invoking PBG, it should not levy additional cost on the Bidder. Hence, we request you to modify the clause as
follows:
(d) Any excess of the purchase price, cost of manufacturer, or value of any stores procured from any other supplier as the case may be, over the contract price
appropriate to such default or balance shall be recoverable from the SELLER by invoking the PBG
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
33 Page 30, Point 11 Any dispute between the parties shall be resolved mutually by the parties. If the dispute cannot be resolved by mutual consultation between the parties, the same shall
be resolved in accordance with provisions of Arbitration and Conciliation Act, 1996 and rules framed there under as may be amended from time to time or its re-
enactment. Place of Arbitration shall be Delhi. The Arbitrator will be appointed by the Indian Navy and decision of the Arbitrator shall be final and binding on the
parties.
Query: We request you to modify the clause as follows:
Any dispute between the parties shall be resolved mutually by the parties. If the dispute cannot be resolved by mutual consultation between the parties, the same shall
be resolved in accordance with provisions of Arbitration and Conciliation Act, 1996 and rules framed there under as may be amended from time to time or its re-
enactment. Place of Arbitration shall be Mumbai. The Arbitrator will be appointed on mutual agreed basis and decision of the Arbitrator shall be final and binding on the
The Part III and Part IV of RFP are as
per the standard clauses in
accordance with the existing
regulations i.e Defence Procurement
Manual – 2009. These clauses
cannot be changed. Hence, as per
RFP.
10
parties.
34 Page 34 CONFIDENTIALITY AND NON DISCLOSURE AGREEMENT
The Indian Navy and the SIs shall keep confidential and shall not, without the written consent of the other party hereto, divulge to any third party any documents, data
or other information furnished directly or indirectly by the other party hereto in connection with the Contract, whether such information has been furnished prior to,
during or following termination of the Contract. Notwithstanding the above, the SIs may furnish to its Subcontractor(s) such documents, data and other information it
receives from the Navy to the extent required for the Subcontractor(s) to perform its work under the Contract, in which event SIs shall obtain from such
Subcontractor(s) an undertaking of confidentiality similar to that imposed on this SIs under this Clause. SIs also undertakes not to use any information gained by virtue
of this project, in any form, to prepare, develop, market or sell any system or product for utilization by any other client. The provisions of this Clause shall survive
termination, for whatever reason, of the Contract.
Query: Request you to modify the clause as follows:
The Indian Navy and the SIs shall keep confidential and shall not, without the written consent of the other party hereto, divulge to any third party any documents, data
or other information furnished directly or indirectly by the other party hereto in connection with the Contract, whether such information has been furnished prior to,
during or following termination of the Contract. Notwithstanding the above, the SIs may furnish to its Subcontractor(s) such documents, data and other information it
receives from the Navy to the extent required for the Subcontractor(s) to perform its work under the Contract, in which event SIs shall obtain from such
Subcontractor(s) an undertaking of confidentiality similar to that imposed on this SIs under this Clause. SIs also undertakes not to use any information gained by virtue
of this project, in any form, to prepare, develop, market or sell any system or product for utilization by any other client. The provisions of this Clause shall survive
termination, for whatever reason, of the Contract for a period of One (1) year from effective date of termination.
This Agreement shall terminate once services are being performed or by written notice to other party of not less thirty (30) days.
To the extent that, in connection with this contract, either SI or the NAVY (the “receiving party”) comes into possession of any information, trade secrets or other
proprietary information relating to the other (the “disclosing party”) which is designated in writing by the disclosing party as ‘Confidential Information’ (the “Confidential
Information”), it shall not disclose such Confidential Information to any third party without the disclosing party’s consent except to the NAVY’s or SI’s legal advisors
solely for the purpose of obtaining legal advice, or as may be required by law, regulation, judicial or administrative process, or to the extent that such Confidential
Information (A) shall have otherwise become publicly available (including, without limitation, any information filed with any governmental agency and available to the
public) other than as the result of a disclosure by the receiving party in breach hereof, (B) becomes available to the receiving party on a non-confidential basis from a
source other than the disclosing party which the receiving party believes is not prohibited from disclosing such information to it by obligation to the disclosing party, (C)
is known by the receiving party prior to its receipt from the disclosing party without any obligation of confidentiality with respect thereto or (D) is developed by the
receiving party independently of any disclosures made by the disclosing party to the receiving party of such information. In satisfying its obligations under this clause,
each party shall maintain the other’s Confidential Information in confidence using at least the same degree of care as it employs in maintaining in confidence its own
Confidential Information, but in no event less than a reasonable degree of care.
In no event shall either party, its affiliates, or related entities be liable for consequential, special, indirect, incidental, punitive or exemplary loss, damage, or expense
relating to this Agreement (whether in contract, statute, tort (such as negligence), or otherwise).
This is standard Confidentiality clause
of Indian Navy. Hence, as per RFP.
35 Page 47, Point 11 CRLs should be supported with configurable format, issuing period etc. It should be possible to use indirect CRLs, which are not signed by the CA, but by a delegated
instance.
Query: We would like to mention that this is not recommended for Navy and hence the feature should be removed.
It is amplified that CRLs should be
supported with configurable format,
issuing period etc. The feature to use
indirect CRLs, which may be signed
by the CA, or by a delegated instance
is optional.
36 Page 48, Point 21 CA key management, Root-CA and Sub-CA certification, CA policy management: It should be possible to manage any number of CAs in any hierarchy in the same
system. The CAs should possibly have different CA policies
Query: We would like to mention that this is not recommended for Navy and hence the feature should be removed.
It is clarified that in a hierarchy the CA
should be able to manage multiple
sub-CA.
37 Page 48, Point 26 Multi-tenancy, delegated CA management: it should be possible to define administration domains with separation with respect to visibility and access to CAs, policies,
roles, CA users, logs etc.
Query: We would like to mention that Multi-tenancy is not recommended for Navy and hence the feature should be removed.
It is clarified that with delegated CA
management it should be possible to
define administration domains with
separation with respect to visibility
and access to CAs, policies, roles,
CA users, logs etc and Multi tenancy
feature is optional
11
38 Page 48, Point 29 There should be a powerful API (preferably Web Services protocol) that supports certification, revocation, delayed publication for any end entity as well as to retrieve
user and certificate information. The API should be access controlled and multi-tenant capable.
Query: We would like to mention that Multi-tenancy is not recommended for Navy and hence the feature should be removed.
It is clarified that the API should be
access controlled and feature of
multi-tenant capability is optional.
39 Page 49, Point 37 All relevant user actions (e.g. registration, certification, revocation etc.) should be logged in a digitally signed revision safe audit trail (transaction log), which is audit-
able. Relevant actions require commitment signatures of the user(s). Critical actions (e.g. CA management) require commitment signatures of more than one officer.
Query: We would like to mention that logging in digitally signed is not a standard practice and may not be available with all CA applications. Hence, request you to
look into this.
It is clarified that all relevant user
actions (e.g. registration, certification,
revocation etc.) should be logged in a
revision safe audit trail (transaction
log), which is audit-able. The logs
generated should be in compliance of
extant GOI regulations/ CCA if any.
40 Page 49, Point 41 All sensitive tasks should require 4-eyes-principle
Query: 4-eye principle should be replaced with split control as 4-eye principle is vendor specific. This will ensure fair playing field for all the vendors and encourage
more vendors to participate.
It is amplified that the requirement is
that all sensitive tasks should be
undertaken using segregation of
duties with a minimum of two people
at CA application level or at HSM
level.
41 Page 50, Point 56 Letter from the organization where the Solution has been implemented, confirming that CA Solution has been implemented in their organization and working
satisfactorily.
Query: We request you to modify the clause as follows to bring-in more clarity and to include both OEM/SI credentials:
OEM / SI vendor to share the letter from the organization where the Solution has been implemented, confirming that CA Solution has been implemented in their
organization and working satisfactorily.
The requirement is that the solution
being offered is in use satisfactorily at
some other organization. Hence, as
per RFP.
42 Page 50 AR CA shall support an OCSP capability using the GET or the POST method for DSC issued.
Query: We request you to clarify what “AR CA” means?
It is clarified that CA shall support an
OCSP capability using the GET or the
POST method for DSC issued
M/s Entrust Datacard Pvt Ltd.
43 If the solution architecture uses a data base/ RDBMS Solution Software must support MS SQL 2012 and Oracle 11g, if an RDBMS is used to store user, credential,
configuration, log or other data.
Query: The type of database product should not be relevant especially where there’s no additional licensing cost and it’s not a separate box to manage. Some
solutions use other Industry Standard Databases, which gets installed as part of the product install. For all practical purposes it’s a closed system and the database
element is transparent. What is the specific technical requirement (if any) that is behind the need for MS SQL and Oracle? Request you to change / modify this
clause to allow solution to us its own database if available? Plus customer saves cost here.
The databases specified in RFP are
from reputed vendors and in case if
MS SQL 2012 is proposed then
Indian Navy could provide the
licenses. It is further amplified, that
the bidder may also deploy any other
database from reputed vendors as
per design.
44 It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.
Query: Can we seek clarity around what is meant by “the same system”? Does the use of the word “system” relate to the overall solution? Please elaborate on what
the ask is here ?
It is clarified that the CA application is
required to run run in a hierarchical
manner within Indian Navy’s Intranet.
45 CRLs should be supported with configurable format, issuing period etc. It should be possible to use indirect CRLs, which are not signed by the CA, but by a delegated
instance.
Why is there a need to use “Indirect CRLs”? We believe this is a vendor specific clause and should be removed to allow more OEMs to participate/qualify.
It is amplified that CRLs should be
supported with configurable format,
issuing period etc. The feature to use
indirect CRLs, which may be signed
by the CA, or by a delegated instance
is optional.
46 Support of multiple HSMs (over PKCS#11 and JCE) for storing CA private keys and all other system keys.
Query: Why is there a need to communicate over JCE if Industry standard PKCS # 11 meets the requirements? Request you to please modify this clause to PKCS#11
It is clarified that support of multiple
HSMs (over PKCS#11 or JCE) for
storing CA private keys and all other
12
or JCE. system keys.
47 The product must offer centralized, secure management of CAs, policies and configuration data with GUI support.
Query: Please explain user use case about who manages each CA, what sort of roles in each location/geography manage CA’s both within and outside their usual
location/geographic region.
It is amplified that web management
using GUI is being sought for
management of the application within
Navy’s intranet.
48 SCEP should be supported. Only authorized (registered) SCEP devices should be granted with a certificate. Renewal over SCEP should be possible without an
additional registration. It should be possible to run different SCEP services for different CAs.
Query: Please elaborate on details around the type of devices typically involved and what their use case is.
It is clarified that SCPEP is envisaged
to be used for network devices within
Indian Navy like Routers, VPN etc.
49 CMP should be supported – System should support
Certificate enrollment part of Certificate Management
Protocol (CMP) v2 as profiled by 3GPP TS 33.310 version 9.5.0 (ETSI TS 133 310 V9.5.0).
Query: Please elaborate on details around the type of devices typically involved and what their use case is.
Also would request this be modified to allow CMPv2 compliant enrollment service that supports RFC 4210. We have tested with Security Gateway products and have
built to the 3GPP specification but have yet to fully test with an eNodeB, would support eNodeB in roadmap (part of 3GPP specs.)
It is clarified that CMPv2 compliant
enrollment service that supports RFC
4210 is also acceptable.
50 Should support Active-Active type of high availability ensuring sub components that can be multiplied to match performance and fault tolerance needs.
Query: What exactly is the actual solution requirement is in terms of overall resilience, failover, integrity and response time. Is this really perceived as a “MUST” or
just a highly desirable and if so based upon what exact performance metric?
We have many referenceable installations where appropriate high availability solutions are deployed etc.
It is amplified that the support for
Active-Active type of high availability
is being sought for continuous
operations. In case if the product
offers High Availability through other
means or is there in the roadmap
without any financial implications, the
same is acceptable.
51 Support for different certificate profiles based on X.509 Public Key Certificates, Attribute Certificates, Card Verifiable Certificates (CVC) (e.g. ePassports), Tachograph
Certificates, Wireless TLS (WTLS) Certificates in conformance with the Wireless PKI (WPKI) specifications
Query: Please explain the need to support Tachograph Certificates. We believe this is a vendor specific clause and should be removed.
It is clarified that tachograph
certificates are optional feature.
52 Interface to external modules for secure communication with server applications
Query: We need more details here. What external modules are you referring to, what server applications? Some knowledge of those will provide information about
what sort of communications protocols are being used. All communications between our components are already secure so detail about what else they want to
connect to is required.
It is amplified that all communications
between the application and modules
should be secure.
M/s Gemalto Pvt. Ltd., M/s I-Value Pvt. Ltd.
53 Page 14, Point 14 Keys should always remain in Hardware and never reside in software in any form/ As per CCA Guidelines.
Query: We request you to please re-look into the same as the statement looks that "KEYS" in hardware is taken as optional feature, which is very important and
critical in nature.
CCA provides guidelines for minimum security requirement, However that should not become the highest benchmark, when we are going to develop a secure system.
Considering the fact that we will be using HSM i.e. "Hardware Security Module" that means that Keys should always be in Hardware and never be in software in any
form. If it will be in software at any point of time then its defeats the purpose of procuring / using HSM.
So we request to edit this clause as "Keys should always remain in Hardware and never reside in software in any form". HSM must comply with CCA Guidelines."
Justification: HSM should always capable of storing the KEYs inside the HSM only, and never allows to store the Keys in software no matter if the master Keys are
in HSM and rest of the keys are encrypted and kept in software. If the HSM keeps the Keys in software, there is a master wrapping key that is stored inside the HSM
but every other key is outside of the HSM. To put it plainly, the keys are kept in a file and are loaded into the HSM when they are needed. And this is where the
vulnerability lies .. the keys are stored in a file, and the security of the keys is related to the security of the file. I can make a copy of the file (because it sits on the
It is amplified that Indian Navy seeks
to procure HSM whose specifications
and features are in accordance with
CCA guidelines and would be
acceptable during CCA certification
audits.
13
filesystem) so I can use any root or Administrator privilege escalation vulnerability to get to the file and then and mount a brute force attack on this file and the HSM
has no control over this
54 Page 44, Point 29 Functions have to be secured using public key technology and functions have to be executed within tamper resistant hardware. The hardware design should allow for
programmable cryptography and custom functions
Query: Are we going to run custom made functions/Applications inside the HSM? If yes then this will make the FIPS certification invalid and as per CCA FIPS based
Hardware is must. Will that be fine? If not then request you to remove this clause.
Justification: To keep HSM FIPS complaint, in that case programmable HSM should be allowed for the same and as per CCA guidelines HSM should be FIPS
certfied for the security reasons.
It is clarified that the functions
generally use APIs of HSM. The
functions therefore in no manner
affect the security of the device as it
accesses the HSM only through the
APIs. Hence as per RFP.
M/s Tech Mahindra Pvt. Ltd.
55 Page 9, Point 6 No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by the
successful bidder, the same will be provisioned by Indian Navy
Query: Request to specify the available OS & DB version with Navy. Please clarify that requisite OS & DB licenses would be provided by Navy?
The following softwares are available
with Indian Navy:-
Server OS- Windows Server 2008
R2/ 2012 and 2012 R2
Database – MS SQL 2012 STD/
Enterprise
56 Page 9, Point 6 (b) The bidder may use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per
CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software).
Query: There are no workflow approvals specified by CCA -- this is to be decided by Navy. Also, CA system may have its own approval process which can be
integrated with AD & may not require share point. e-form integration workflow. Kindly elaborate.
It is clarified that certificate issuance
requests from work flow software
should be catered. The work flow
software should leverage/ integrate
with the IDAM(OEM CA) of Indian
Navy for credentials of the persons
requesting the certificate. The
designed workflow should comply to
CCA guidelines on issuance of
different class of certificates. The
applications that can be used for work
flow and available with Indian Navy
has been mentioned in the RFP. The
bidder may use the applications and
the licenses for same will be provided
by Indian Navy. The bidder is free to
use any other application in case if he
desires to. Further, in case of a CA
product having an inbuilt workflow the
same is also acceptable to Indian
Navy if it meets the overall
functionality requirements.
57 Page 39 Prime Bidder individually or jointly with Consortium partners should have experience of having successfully associated with a PKI project or a esign project during last
5 years ending last day of month previous to the one in which bids are invited.
Query: there haven’t been any recent RFPs for licensed PKI CA projects being executed by the prime bidders. Most of the enterprise/licensed CA are directly
executed by OEMs
We request Navy to change the clause for considering OEM credentials:
Prime Bidder individually / CA software OEM should have experience of having successfully associated with a PKI project or a esign project during last 5 years
ending last day of month previous to the one in which bids are invited.
It is clarified that prime Bidder
individually or jointly with Consortium
partners should have experience of
having successfully associated with a
PKI project or a E-sign project during
last 5 years ending last day of month
previous to the one in which bids are
invited.
14
Prime Bidder & CA Software OEM can submit a teaming agreement to Navy for scope of work and obligations at the contract stage.
58 Page 8 Indian Navy intends to deploy a highly secure Public Key Infrastructure (PKI) in order to provide trusted cryptographic keys (certificates) for securing its
communications, SSL, code signing, etc
Query: What are the type of certificates that are envisaged to be issued by the CA? (Digital signature, SSL, code signing etc). As per CCA guidelines, the CA for
issuing SSL and code signing certificates needs to be separate from that issuing User based certificates.
It is clarified that the immediate
requirement is of Digital signature.
However, the system should be
capable to issue/ support other
Certificates like SSL, code signing etc
59 Page 8 Audit
Query: Can we assume that all controls required for the CCA audit other than those specified in this RFP ,(physical, logical etc) would be met by the Indian Navy?
It is amplified that any Civil works or
any additional hardware which is
required for the project will be
undertaken by Navy. However, the
timely advise and offering of the same
to CCA for audits will be responsibility
of the bidder.
60 Page 8 Two set of Hardware running in HA and FT mode
Query: Is it possible that we can use the HA and FT features of the VMWare software already available with the Indian Navy for providing the solution?
It is clarified that Indian Navy uses
Hyper–V, functionalities available in
the application can be leveraged by
the bidder to achieve the objective.
61 Query: Is there any specified RPO/RTO between DC and DR? The desired RPO/ RTO between DC
and DR is 06 Hours/ 24 Hours
respectively
M/s BEL
62 Page 9, Point 6 Indian Navy as part of earlier procurement has procured requisite Microsoft Server, database, Virtualisation Environment and requisite User CAL licenses for internal
usages. No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by
the successful bidder, the same will be provisioned by Indian Navy.
Query: RFP States that Microsoft server and database licenses required during infrastructure setup by the successful bidder, the same will be provisioned by Indian
Navy.
We understood that the server licenses mentioned is Window server operating system. Please provide the version of present Windows Operating system
The following software’s are available
with Indian Navy:-
(a) Server OS - Windows Server
2008 R2/ 2012 and 2012 R2 (Std and
DataCenter)
(b) Database – MS SQL 2012 STD/
Enterprise
63 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: The RFP requirement states that a provision to recover data secured by keys in lost token should be provided as part of solution. Is the understanding correct, Please confirm.
The understanding is correct.
64 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: Please brief on the existing Key Escrow policy of the Navy.
It is clarified that currently there is no
key escrow mechanism existing in the
Navy as on date.
65 Page 9, Point 6 (a) (xii) Mechanism to recover dependent data on keys held in lost tokens. Key Escrow as per existing regulations or best practices. Query: Since Key escrow is mentioned as per Navy policy, is the key pair generation for end clients to be centralised in HSM or key pair generation is to be done in token/ end systems/RA.
It is clarified that Key Pair generation
is to be done in tokens or as per CCA
guidelines/ Best practices.
66 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may
use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software). Query: The Para mentioned that Indian Navy currently has licenses for Microsoft Sharepoint 2013 Server, EMC2 documentation, CA identity manager and necessary client licenses and that that work flow software may leverage on same for development of work flows. We understand that the bidder can also provide new development of work flow software not using the existing components. Please confirm.
Clarification same as serial 56.
67 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may
use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software).
It is clarified that the work flow
software is envisaged to be
centralized software hosted in the
15
Query: Work flow software is envisaged to be centralised software hosted in the portal to be used for certificate issuance process. Please confirm. portal to be used for certificate
issuance process.
68 Page 10, Point 7(a) (ii) Configure Certificate Template for Issuing Systems (i.e. IDAMSystem of Indian Navy currently from CA Technologies) with up to 05 templates, any customization or
integration of creating workflow for request, issuance and approval mechanism, Security Support Systems, and Front-End / Internal-Support Systems by removing or
disabling all accounts, applications, services, and Front-End / Internal-Support Systems by removing or disabling all accounts, applications, services, protocols, and
ports that are not used in the CA's operations and allowing only those that are approved by the CA will be responsibility of Indian Navy and team @ Indian Navy. OEM
will be doing knowledge transfer to Indian Navy team and help in enabling Indian Navy to integrate PKI as back-end infrastructure for issuing certificate for request
from IDAM Solution of Indian Navy or even manual request or auto-enrolment request as default capabilities of Active Directory and Active Directory certificate
services.
Query: Template for issuing systems (i.e.) IDAM System of Indian Navy currently from CA technologies with up to 05 templates, any customization or integration of
creating workflow for request issuance, and approval mechanism.
This is understood as integration requirement with existing IDAM solution and additional to workflow software mentioned under Para 6(b).
Should PKI support certificate requests from IDAM, manual, default AD and ADCS or from work flow software.
It is clarified that certificate issuance
requests from work flow software
should be catered. The work flow
software should leverage/ integrate
with the IDAM of Indian Navy for
credentials of the persons requesting
the certificate.
69 Page 14, Point 11 Registering Authority is to be setup at five locations at New Delhi, Mumbai, Kochi, Vishakhapatnam and Karwar. The process of issuing certificates will be managed by
Indian Navy however it must be supported by the SI during the warranty period. The project design should cater for scaling the number of RAs in case of a
requirement from Indian Navy.
Query: Please elaborate on the role of RA.
Below are few pointers clarification regarding role of RA:
Certificate request validation, request generation and personalization of token to users.
Can end clients, users, NW elements, request for certificate from their end system, automatically without going through RA.
Will RA be a single window process for certificate issuance and management using the work software?
It is amplified that RA will be located
at five locations as specified in the
RFP. It will be a single window
process for certificate issuance and
management.
70 Page 14, Point 13 (c), (d) Implement/ Configure CA software as required by CCA for carrying out CA role.
Deployment of two Online Subordinate CAs in cluster in primary site, which will issue and manage the certificates for various purposes. CAs will be built in cluster for
providing high availability within the same site and with similar configuration in DR site as well.
Query: CCA wiil be root CA for Indian Navy. Navy CA will be SubCA approved by CCA. Is the understanding correct, Please Confirm.
It is amplified that CCA should license
Indian Navy to function as CA.
71 Annexure I Technical Specification of HSM.
Query: Are end client/user keys to be generated in HSM?
It is amplified that end client/ user
keys to be generated in USB dongle/
token or as per CCA guidelines/ Best
practices.
72 Annexure I Technical Specification of USB Token/dongle
Query: Specification does not mention key pair generation. Is there no requirement for need for key pair generation in token, Please confirm.
It is clarified that the generation of
Keys is to be done in USB
dongle/token or as per CCA
guidelines/ Best practices.
73 Annexure II Technical Specification of CA Software
Query: Is request and renewal over SCEP from end clients is allowed. Please Confirm.
It is clarified that request and renewal
over SCEP from end clients is
allowed.
74 Page 7, Point 15 EMD is not required to be submitted by those Bidders who are registered with the Central Purchase Organization (e.g. DGS&D), National Small Industries Corporation
(NSIC) or any Department of MoD or MoD itself.
Query: BEL is a DPSU registered with DGS&D for Radios. However, as per recent notification No: DGS&D/P&C/Green Channel/240/Amendment No 64/143 dtd
14.06.2017 DGS&D registration for all companies stand cancelled from 1st Jul 17. Should the EMD be submitted.
M/s BEL being part of MoD need not
submit the EMD.
75 Page 13, Point 10(e) A resident engineer will be positioned by the successful bidder during all phases of support. The qualification and duties of the resident engineer is placed at para 1(a)
of Annexure III. Further, the bidder will deploy Support Engineers for handling hardware defects and for deployed software on as required basis within 24 hours of
complaint being registered with the bidder.
It is amplified that a single resident
engineer is required to be positioned
at Delhi DC. Para 10(e), Part II of
16
Query: In how many locations is the resident engineer to be positioned? RFP refers.
76 Page 27, Point 1 The Bidder will be required to furnish a Performance Guarantee by way of Bank Guarantee through a public sector bank or a private sector bank authorized to conduct
government business (ICICI Bank Ltd., Axis Bank Ltd or HDFC Bank Ltd.) for a sum equal to 10% of the contract value within 30 days of signing of this contract.
Performance Bank Guarantee will be valid up to 60 days beyond the date of warranty/services (as applicable). The specimen of PBG is given in DPM-09, (Available in
MoD website and can be provided on request).
Query: As BEL is a DPSU, Can PBG be issued in the form of Indemnity Bond.
BEL has been submitting PBG in the
past contracts. Further, clarification if
any may be sought by BEL from
MoD. Hence, as per RFP.
M/s N-Code Solutions Pvt. Ltd.
77 Page 47, Point (B) (8) It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.
Query: It should be possible to run any number of CAs in any hierarchy under VM environment. The CAs should possibly have different CA policies.
It is clarified that, it should be possible
to run any number of CAs in any
hierarchy in a virtualised environment.
78 Page 11, Point 7(b) (VII) DR synchronization
Query: Bandwidth connectivity to be provision by SI or Bidder.
The setup will be deployed in Indian
Navy’s intranet. Hence, it is clarified
that bandwidth would be provided by
Indian Navy.
79 Page 9, Point 6(a) The licensing model of the OEM should be server based and should be for unlimited client licenses.
Query: Licensing policy very vendor to vendor, numbers of license gives idea of consumption and resources provisioning.
It is clarified that the certificates
generated is only for non-commercial
purposes and for use by Indian Naval
personnel.
80 Page 9, Point 6(b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Document, CA Identity Manager and Necessary Client licenses. The bidder may use
he same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA.
Query: More detail needed of existing CA workflow in order to integrate our custom application.
Clarification same as serial 56.
81 Page 47, Point (B) 10 The CA should be able to publish CRLs and certificates in any number of distribution points using LDAP/HTTPS protocol. The publication address must be
configurable for each CA.
Query: Availability of webserver to publish CRL through http/https protocol.
The webserver will be provided by
Indian Navy to publish CRL through
http/https protocol.
82 Additional point Query: Tape drive and disk backup not consider in hardware and backup software not included since offsite backup as per IT Act, hope it is available. Existing adequate backup
infrastructure is available with Indian
Navy and the same can be utilized by
the bidder.
83 Additional point Query: Teleclock not included in IT Infra, its key factor and IT Act requirement to sync time of with NPL India. Indian Navy will endeavor to provide
GPS Clock
M/s Technology Nexus Secured Business Solutions
84 Page 9, Point 6 No server or CAL is envisaged to be procured as part of this project. In case of Microsoft Server and database licenses required during infrastructure setup by the successful bidder, the same will be provisioned by Indian Navy. Query: Request to specify the available OS & DB version with Navy. Also as part of the hardware requirement mentioned in project, Rack servers are to be provided by the bidder. Pls clarify is requisite OS & DB licenses would be provided by Navy?
The following software’s are available
with Indian Navy:-
(a) Server OS - Windows Server
2008 R2/ 2012 and 2012 R2 (Std and
DataCenter)
(b) Database – MS SQL 2012 STD/
Enterprise
85 Page 9, Point 6 (b) The bidder may use the same to envision and develop custom work flows. The workflow application should include provisions for level of approvals required as per CCA. The application should utilise the authentication mechanism of existing IT infrastructure viz. Active Directory and IDAM (Currently CA Software). Query: there are no workflow approvals specified by CCA. this is to be decided by Navy. Also, CA system may have its own approval process which can be integrated with AD & may not require share point. e-form integration workflow need to be elaborated.
Clarification same as serial 56.
17
86 Page 37 SI Pre-qualification Criteria Query: In case, the bidder is an existing CCA certified CAs the above clauses are not applicable (Suitable proof to be submitted) Query: In recent government bids for PKI/CA projects: the government has specifically put up a conflict of interest clause: The bidder should not be a CA licensed by the CCA for providing CA operations in India. Bidder should not have conflict of interest, or potential conflict of interest; or any incident that materially and adversely affects the government Certification Authority's operations We request Navy to consider this.
It is clarified that the current project is
only for usage by Indian Navy and its
personnel. So the likelihood for
conflict of interest does not exist.
Hence, as per RFP
87 Page 37 Prime Bidder individually or jointly with Consortium partners should have experience of having successfully associated with a PKI project or a ensign project during last 5 years ending last day of month previous to the one in which bids are invited. Query: there haven’t been any recent RFPs for licensed PKI CA projects being executed by the prime bidders. Most of the enterprise/licensed CA are directly executed by OEMs We request Navy to change the clause for considering OEM credentials: Prime Bidder individually / CA software OEM should have experience of having successfully associated with a PKI project or a esign project during last 5 years ending last day of month previous to the one in which bids are invited. Prime Bidder & CA Software OEM can submit a teaming agreement to Navy for scope of work and obligations at the contract stage.
As per RFP
M/s Inspira Pvt. Ltd.
88 Page 13, Point 10 Warranty start date is defined as the date when CCA would certify Indian Navy certification to function as CA. Warranty period for all hardware components and
software licenses shall be deemed to commence from the date of sign-off. Warranty for all hardware components shall commence on the day of Project Sign-off and
shall last.
Query: We understand you require 2 years warranty and 2 years AMC cost separately. Please confirm by default warranty will be required with items which are in
BOQ
Warranty shall commence on the day of Project Sign-off and shall last for Two years. During this period, support for all project components like Hardware supplied, software developed / customised / configured for the project, physical installations of infrastructure setup as part of this project, update of help content etc. shall be covered. It is clarified that level of services for warranty, AMC and optional additional AMC is same. On completion of warranty, AMC will commence. Post which IN may enter a contract for optional additional AMC with the successful bidder as per previously negotiated prices/rates. Para 10 of part II of RFP refers.
89 Page 18, Point 23 Payment Terms
Query: We have a suggestion for the 80% on the delivery, inspection and Detail Project report submission and 20% on the project Signoff.
As per RFP
90 Page 12, Point 9 Training
Query: We understand, we need to provide 2 trainings each year and it is for the certifications also.
It is clarified as per para 9 of part II of RFP that the training would consist of the following:-
(a) Bidder would organize training of 20 Officers and 30 Sailors on various aspects of Information Security, public key infrastructure and licensing of CA operations. (b) Additional certificate courses to be conducted/ provided by SI with one time certification fees at SI’s cost: -
(i) CISA (certification for 05 Students)
(ii) CISSP (certification for 05 Students)
18
91 Page 12, Point 9 Training
Query: We understand, For CISA and CISSP certification, we will provide single attempt for no of officers mentions.
This point needs to be read in
conjunction to the clarification offered
at point 90 above. It is clarified that
the bidder will pay one time exam fee
for CISSP and CISA exam for
personnel nominated by Indian Navy.
92 Query: Bank Guarantee mode of EMD Submission can also be added. Bank guarantee mode of EMD
submission is available. Para 15 part I
of RFP is relevant.
93 Page 13, Point 10 (F) Support Manpower
Query: Please confirm for Resident Engineer and support engineers nos and both will deploy on one location or multi locations.
It is amplified that a single resident
engineer is required to be positioned
at Delhi DC. Para 10(e), Part II of
RFP refers.
94 Page 38, Point 9 PQ Criteria
Query: Suggest - IT project of 10 Crs order or 2 orders of 5 Crs each.
As per RFP
M/s Em Signer
95 Page 9 Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may
use the same to envision and develop custom work flows.
Query: Whether we can have a workflow system complaint with CCA guidelines without using the specific softwares mentioned in this point of RFP.
Clarification as per serial 56.
96 Page 49 The CA security architecture must underlie a successful security evaluation like Common Criteria
Query: Request also to add successful or under security evaluation.
The requirement of evaluation is from
an assurance perspective. Hence, it
is clarified that the proposed CA
application should have undergone a
successful evaluation or under
security evaluation like Common
Criteria
97 Query: Whether shall the bidder or any other 3rd party CA solution compliant with CCA It is clarified that the proposed CA
solution should have been
implemented and running live in one
of the CAs globally or the solution
should have been implemented in
India under the certification of root CA
of India.
M/s C-DAC
98 Page 9, Point 6 (b) Indian Navy currently has licenses for Microsoft Sharepoint 2013 server, EMC 2 Documentum, CA Identity Manager and Necessary Client licenses. The bidder may
use the same to envision and develop custom work flows. The workflow application should include provisions
for level of approvals required as per CCA,
Query: Please specify what workflows are envisioned as part of this solution on the domain, as all admin functionality is in protected network of PKI components only.
Justification: CA software should have the work- flow configuration feature embedded with the solution.
Clarification same as serial 56.
99 Page 10, Point 7 (a) On implementation/configuration of the CA server, it has to be integrated with existing IT infrastructure of Indian Navy. The bidder will integrate the PKI setup with It is clarified that PKI will be
19
Active Directory, MS Exchange Server, SCCM, SCOM to the extent feasible for leveraging PKI infrastructure.
Query: PKI setup will be integrated with LDAP. All certificate usage has to be by applications integrating with the LDAP (AD in this case). It is not clear if the PKI setup
is to integrate separately with each application on the network. Neither is this advisable.
Justification: PKI being an authentication mechanism will be part of the LDAP
integrated with existing Active
Directory for authentication purposes.
The integration with other applications
like MS Exchange Server, SCCM and
SCOM is to be undertaken to the
extent feasible.
100 Page 10, Point 7 (a) On implementation/configuration of the CA server, it has to be integrated with existing IT infrastructure of Indian Navy. The bidder will integrate the PKI setup with
Active Directory, MS Exchange Server, SCCM, SCOM to the extent feasible for leveraging PKI infrastructure
Query: All management components of the PKI servers will be included with the setup. No usage of SCOM/SCCM for these servers is envisaged.
Justification: Management of Linux based PKI servers will be part of the protected network.
The clause is being retained as per
RFP.
101 Page 10,
Point 7(a)(iii)
Implement Active Directory based two-factor authentication only to each CA server (maximum 04 servers)
Query: (a) CA server will not be on direct network to AD (b) 2FA can consist of a password/pin and a token
Justification: CA server has to be air gapped
It is clarified that CA Server is in
Navy’s Network, segregated by
implementing zones. The existing
Active Directory has to be configured
for two-factor authentication.
102 Page 47, Point B (8) It should be possible to run any number of CAs in any hierarchy in the same system. The CAs should possibly have different CA policies.
Query: Kindly Clarify
Justification: Different CAs have to be recognized by domain. E.g. your domain recognizes Symantec , Verizon etc.
The clause is being retained as per
RFP.
103 Page 47, Point B (9) It should be possible to assign registration officers to individual CAs or user domains and visibility/usability of user data should be limited to assigned CA or user
Domain.
Query: Kindly Clarify.
t is clarified that certificate issuance requests from work flow software should be catered. The work flow software should leverage/ integrate with the IDAM(OEM CA) of
Indian Navy for credentials of the persons requesting the certificate. The designed workflow should comply to CCA guidelines on issuance of different class of
certificates. The applications that can be used for work flow and available with Indian Navy has been mentioned in the RFP. The bidder may use the applications and
the licenses for same will be provided by Indian Navy. The bidder is free to use any other application in case if he desires to. Further, in case of a CA product having
an inbuilt workflow the same is also acceptable to Indian Navy.Justification: Different CAs have to be recognized by domain. E.g. your domain recognizes Symantec
, Verizon etc
It is clarified that user domain means
organizational units of Active
Directory.
104 Page 47,
Point B (13)
End entity certification according to individual policies.
Query: Please Clarify.
Justification: Certificates are issued as per standard formats for signature, SSL etc.
It is clarified that certificates are to be
issued as per standard formats.
105 Page 48,
Point C (21)
CA key management, Root-CA and Sub-CA certification, CA policy management: It should be possible to manage any number of CAs in any hierarchy in the same
system. The CAs should possibly have different CA policies
Query: Please Clarify
Justification: CA is air gapped. Then a console that can manage CA cannot speak to Sub CAs.
It is clarified that, it should be possible
to run any number of CAs in a
hierarchy in a virtualised environment.
106 Page 48,
Point C (24)
Cross certification should be supported in both directions: internal CA to certify external CA and vice versa in PKCS#10 procedures.
Query: Please Clarify
Justification: CAs are inherently self-signed authorities who act as root of trust. Hence they are not "certified" by anybody. If a sub CA, then you can have a sub CA
certified by external entity (e.g. NIC CA) but vice versa not possible/required.
The clause is being retained as per
RFP.
107 Page 49, All relevant user actions (e.g. registration, certification, revocation etc.) should be logged in a digitally signed revision safe audit trail (transaction log), which is audit-
able. Relevant actions require commitment signatures of the user(s). Critical actions (e.g. CA management) require commitment signatures of more than one officer.
The clause is being retained as per
RFP.
20
Point E (37) Query: Please add WORM device(s) in BOQ.
Justification: WORM device required.
108 Page 50,
Point G (46)
Support for different certificate profiles based on X.509 Public Key Certificates, Attribute Certificates, Card Verifiable Certificates (CVC) (e.g. e-Passports), Tachograph
Certificates, Wireless TLS (WTLS) Certificates in conformance with the Wireless PKI (WPKI) Specifications.
Query: It is requested that non-applicable certificates (e.g. Tachograph certificates) are removed and the list be explicitly rationalised.
Justification: All standard CA certificate profiles will be used.
It is clarified that tachograph
certificates are optional feature.
Digitech Electronic Systems Pvt. Ltd.
109 Storage of key values should be more than 2000
Query:
As point no. 14 says keys should secured and not stored, as per CCA guidelines. Same should be reflected in this point.
The point needs to be read in
clarification at point No 52. Hence, as
per RFP.
110 8. Software Upgrade The offline upgrade through web service is preferred.
Query:
It must be offline upgrade or Web services
It is clarified that the intranet of Indian
Navy is air gapped from internet.
Hence, the upgrades should be in
offline manner through web services.
111 24 and 25. Operating
Temperature and
Storage Temperature Operating – (0 to 35) Storage – (10 to 30)
Query:
Generally storage temperature range is higher than operating. All HSMs generally support operating temperature 10-35. Hence this seems like a typo error
The typo error is regretted. It is clarified that the specified temperatures are as follows:- Storage – (0 to 35) Operating – (10 to 30)