Clarification Note #2 - European GNSS Agency · Clarification Note #2 GSA internal reference: 249005 Procurement procedure: GSA/OP/48/18 “Operational Interface System for the GSMC

Page 1 of 3

Clarification Note #2

GSA internal reference: 249005

Procurement procedure: GSA/OP/48/18

“Operational Interface System for the GSMC (OIS)”

Interested bidders are invited to take into account the clarifications below which reply to questions

asked during webinar taking place on 19/02/2019.

The slide-show of this webinar is available in the annex to this clarification note.

Question 1: While the approximate number of operator positions is indicated, including 300% expansion; can you clarify how many different classified systems are connected on the other side of the OIS? Answer 1: Currently 8 systems are connected, all handling EU Classified Information at SECRET UE/EU SECRET level. Question 2: Are these systems the maximum, also regarding the extension? Answer 2: The current baseline is 8 systems. Potential extensions up to 300% may be expected by adding additional systems and/or work positions. The tenderer shall assess the scalability of the proposed design. Question 3: Is there a redundancy concept planned for the KVM matrix? Answer 3: It is for the tenderer to propose a system and a business continuity plan in compliance with the required levels of service. The tenderers may propose work arounds in order to maintain business continuity in a degraded mode. The recovery strategy will be assessed by GSA in the technical award criterion Q8. Question 4: Are there any thoughts on how to connect the smartcard reader? Answer 4: The GSA expects that the OIS is capable to read the smartcards via a USB port (i.e. no direct connection to the workstation behind KVM). The tenderer may propose a different concept to write the smartcard (e.g. ability to only read the smartcards via the OIS and to require direct connection to the system for writing them). Question 5: Could you confirm that the 300% is the maximum of 24 workspaces? Answer 5: Yes. Please refer also to Question 2 here-above. Question 6: Do the overview monitors in the room have the same resolution? Answer 6: In principal, this is the case. Depending on the system connected to the KVM, different connection ports are allowed, e.g. DP (display port), VGA, HDMI and DVI. This may limit the resolution of the systems depending on the technology available at each work station. Question 7: What is the distribution of classification for the 8 classified systems (e.g., 4 restricted, 4 S-EU)? Answer 7: Currently, all the 8 systems are EU SECRET. For further evolutions, if assurances are given that accreditation may be granted, connection of EU RESTRICTED systems may be considered. If such evolutions will be considered, a diode would be expected.

Page 2 of 3

Question 8: Is the integration of virtual CPUs to be expected at a later point in time? Answer 8: This is not foreseen in this Invitation to Tender, and therefore out of its scope. Question 9: Do you need special Video transmission? Answer 9: GSA considers to connect only monitors without videoconference capabilities. In particular, only computers with classic screens, mice, keyboards and smartcard readers. Question 10: Is there analog or digital audio required at the workstations? Answer 10: This is not the case; no audio is required at the workstations. Question 11: If the smartcard reader is to be connected via a transparent USB - for security reasons, who takes care that only this reader is connected and no other device? Answer 11: In case a deviation with respect to the requirements is necessary to cope with technical

constraints, the tenderers shall provide evidence in its offer that the associated risks are assessed and

can be acceptable (e.g. mitigated by additional security measures). Then the GSA will assess if any

partial compliance or no compliance in the offers are acceptable.

Question 12: The GSMC has several information related to the Public Regulatory Service (PRS). Can you confirm that no SAB authorisation is required to participate in the tender? Can you clarify whether any compliance to the European GNSS PSI is needed?” Answer 12: No SAB authorisation is needed for the tenderers to participate. Compliance to the European GNSS PSI is required (see section 1 of the security aspect letter – Annex II.VI to the draft Contract).

End of document

Page 3 of 3

Annex: Webinar slides of 19 February2019

Operation Interface System for the GSMC

Information Webinar, 19th February 2019

GSA/GSMC Department

GSA Legal Department

2

• Participants’ microphones are muted. To avoid any echo, please switch off your microphone.

• Make sure your speakers or headphones are switched on, and turn up the volume.

• To interact you can use the common chat room. Questions to individual participants will not be answered.

• Your questions will appear to the other participants

Before we start – way of working (1/2)

3

• Questions are collected and addressed at the end of the session, if time allows it.

• All questions and answers will be published on the GSA website in order to guarantee the equal treatment of tenderers/applicants.

• Slides and clarifications will be available in due course online after this webinar.

Before we start – way of working (2/2)

INTRODUCTION

TENDER OBJECTIVES

TENDER REQUIREMENTS

CONTRACT

PARTICIPATION AND EVALUATION

HOW TO PREPARE YOUR TENDER

Q&A TIME

Agenda

4

INTRODUCTION

5

• The Galileo Security Monitoring Centre (GSMC) will be the hub of European GNSS security. It has the mission to provide a secure EU facility that offers a secure method for PRS users to interact with the Galileo System Operator.

• This will simplify the operation of the Galileo system and provide assurance to PRS users that sensitive information related to their use of Galileo is suitably managed and protected. The GSMC also coordinates the implementation of Joint Action instructions received from the EU SitCen (Situation Centre).

• The operation of the GSMCs within the Galileo system is responsibility of the GSA, delivering the following specific missions:

‒ Management of PRS access

‒ Galileo security monitoring

‒ Response to European GNSS crisis and security events

‒ Provision of European GNSS security expertise and analysis

Background - Role of GSMC in the Galileo Programme

6

• The Galileo Security Monitoring Centre (GSMC) has space constraints in the TEMPEST secure area due to the fact that dedicated terminals and desktops are physically attached to each system in the GSMC sites.

Background

7

Scope of the Call

• GSA is procuring a security accredited operational interface system (OIS) that connects each of the GSA systems and their instances to every workstation in the appropriate operational area. The OIS/KVM switch will allow multiple users to access any of the interconnected systems’ instances via any of the workstations.

• The baseline for this Contract is to have a minimum of eight workstations with OIS accessibility designed, developed and deployed at the GSMC site in Saint-Germain-en-Laye, France (GSMC-FR).

• The OIS design shall allow:

‒ Management of physical space constraints,

‒ Operators to work more efficiently from a single workplace instead of moving between the current standalone workplaces,

‒ Improvements of work flexibility, and

‒ Improvements of scalability for the future deployment of the systems.

Tender objectives (1/2)

8

• Preliminary architecture description

Tender objectives (2/2)

9

Contract baseline and options

10

Contract baseline

• Technical requirements

• Cyber management requirements

• Security requirements

• Installation requirements

• Service requirements

• Training requirements

Option 1

• GSMC SITE IN SPAIN

Option 2

• EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE FRANCE

Option 3

• EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE SPAIN

Options

OPERATIONAL REQUIREMENTS

11

• [REQ-1] The users of the OIS shall be able to operate any physical workplace in the dedicated Room in the respective GSMC site and then use a secure switching capability to connect his/her workplace to the target system that he/she needs to work on. When connected to a target system, the operator shall be able to login as he/she does currently (i.e. using password and/or smart card).

• [REQ-2] A set of 8 (eight) identical team workplaces shall be available for all users of the OIS.

• [REQ-3] Each workstation shall be directly connected to the OIS which will be stored either within the current room or in the equipment room next to the room (to be assessed during the site survey) – see Figure 4.

• [REQ-4] A monitoring system shall be available for the users of the OIS to configure and identify the OIS configuration of the room and also to perform HQ presentations (via video projector) in the room.

Operational requirements

12

TECHNICAL REQUIREMENTS

13

• [REQ-5] Each OIS team workplace shall – as a minimum – comply with the following requirements unless indicated otherwise – bearing in mind the expansion requirement [REQ-8], and potential re-use of existing hardware [REQ-30]:

a. 2 (two) monitors, LCD 24”, each with video display resolution of 1920x1200 at min. 60 Hz with at least one of the following: HDMI, Display port, DVI-I or VGA video input.

b. 1 (one) mouse

c. 1 (one) qwerty keyboard

d. 1 (one) smart card reader (not needed if workaround for securing access is available)

Note: The current card readers are not USB HID compatible. Investigation has been carried out into the workaround for this, with options available for securing access. However, these are to be provided by the contractor, with a set of possibilities offered for consideration by GSMC.

e. 2 (two) Dashboard monitors 40” (also used for HQ presentation)

f. 1 (one) video projector

TEC requirements (1/2)

14

[REQ-6] The mice, (QWERTY) keyboards and other peripherals have to be connected through USB-HID to the CON unit or at least have means to avoid the possibility to connect unexpected USB devices (e.g. USB stick).

[REQ-7] The OIS shall be deployable in the GSMC’s room (Figure 4).

[REQ-8] The OIS shall be a scalable system to allow significant expansion (up to 300%).

[REQ-9] The contractor shall ensure that the installation and markings of any items are compliant to Galileo Ground Segment Integration Standards (GGSIS) [AD.01]

TEC requirements (2/2)

15

CYBER MANAGEMENT REQUIREMENTS

16

• [REQ-10] The contractor shall ensure that the following cyber requirement are fulfilled: [REQ-10-1] to [REQ-10-11]. The contractor may deviate from this requirement with regard to the keyboard and mouse interface with justification in writing.

• [REQ-10-1] The contractor shall communicate to GSA/GSMC occurrences of any cyber security incidents.

• [REQ-10-2] On GSA request, the contractor shall support the preparation of documentation to submit, and participate to cyber meetings on request (i.e. cyber board, cyber review board, accreditation team cyber check points).

• [REQ-10-3] The contractor shall ensure that all employees and subcontractors involved in the Contract have at least annual security training.

Cyber requirements (1/4)

17

• [REQ-10-4] "As a minimum, the security awareness programme shall cover the following aspects:

‒ Security policy of the organization

‒ Physical security

‒ Access controls (Password and account management)

‒ BYOD

‒ Social engineering avoidance

‒ Secure e-mail practices

‒ Security Incident Management Plan

‒ Classification data management

• [REQ-10-5] The contractor shall annually provide evidence to the GSA in writing of attendance of contractor and sub-contractor staff on the security awareness programme(security awareness record).


18

• [REQ-10-6] When during its duties, the contractor identifies a critical finding (e.g. vulnerabilities), it shall immediately report it to GSA/GSMC in writing, signed by the contractor’s authorisedrepresentative.

• [REQ-10-7] For each critical finding, at least the following information shall be provided:

‒ Finding description: description of the finding, including the method used for identification;

‒ Root cause: it is that which gives rise to the risk;

‒ Impact: deviation from the expected provision of the service or system functionalities;

‒ Likelihood: it is the chance of the risk materialising;

‒ Proposed remedy: proposed action to be put in place to remedy the finding.

• [REQ-10-8] Patching assurance: The contractor shall ensure that software and hardware composing the infrastructure is installed, including all the software and firmware patches releasedby the contractor which have been identified 9 (nine) months before the acceptance review.


19

• [REQ-10-9] Vulnerability report: At acceptance, the contractor shall provide to the GSA a report listing any non-corrected vulnerability and the associated analysis. This information hasto be included in the accreditation dossier defined in [REQ-76].

• [REQ-10-10] Network Map: At acceptance, the contractor shall provide to the GSA an assetinventory, identifying for each asset its network and security configuration (e.g. IP addressand network, authentication mechanisms, security hardening baseline, non-corrected vulnerabilities). The network map can be an annex of the DDF defined in [REQ-72].

• [REQ-10-11] Cyber maintenance: During the maintenance phase (see section 2.8), the contractor shall perform vulnerability management. In general it should, as a minimum:(1) Identify any new vulnerability impacting the OIS;(2) Provide to GSMC an analysis of the vulnerability;(3) Define a remediation for the vulnerability;(4) Install any required patch


20

SECURITY REQUIREMENTS

21

• [REQ-11] The proposed OIS design must never form a system interconnect that allowstransfer outside an existing system’s accreditation boundaries. There should be no needto re-accredit existing systems due to the introduction of the OIS.

• [REQ-12] The OIS hardware shall support integration in the GSMC TEMPEST environment, including the support of fibre optic cabling.

• [REQ-13] The OIS hardware shall not allow anywhere buffering of data to avoid any intentional or non-intentional data transfer.

• [REQ-14] The OIS design shall adopt data diodes to enforce unidirectional data flow in hardware and not relying solely on software integrity.*

• [REQ-15] Monitoring and restriction of user sessions shall be introduced to prevent an operator having the ability to access a terminal, via the OIS, where another operator is already logged on.

* The relevant requirement is deleted (see Corrigendum 1).

SEC requirements (1/4)

22

• [REQ-16] Management of user sessions shall be introduced to remove the capability of anoperator manipulating privileges via the OIS.

• [REQ-17] The contractor shall provide evidence that the full OIS infrastructure has beenapproved by a National Security Authority of an EU Member State for use with classifiedinformation at SECRET level.

• [REQ-18] The contractor shall provide evidence of the OIS design to allow GSMC to reviewand gain confidence in the quality of channel separation and isolation for use at SECRETlevel.

• [REQ-19] The solution shall be designed by the contractor so that the core components andcabling can be secured within locked racks, compliant with the applicable document[AD.01]

• [REQ-20] The solution shall be designed by the contractor so workplace connectors can bearranged to minimise the tampering and substitution of hardware.


23

• [REQ-21] The solution shall be designed by the contractor so code signing of firmware is enforced to ensure only vendor supplied/trusted firmware and software can be installed

• [REQ-22] The solution shall be designed by the contractor so the firmware shall be non-reprogrammable to avoid any tampering.

• [REQ-23] The OIS shall provide a technical safeguard to ensure that only GSMC approved workplace device types may be connected to a workplace. All other device types shall not be connected in a usable state.

• [REQ-24] The OIS shall provide capabilities for an administrator to control the connections to a matrix or other switching device to be provided by the contractor in the solution.This shall include the ability to:

‒ Disable unused ports, and

‒ Lock cable and connector assignments to a specific port

These capabilities should be provided through physical controls but may be supported by logical means.


24

• [REQ-25] The OIS shall provide capabilities for an administrator to control the access ofusers to individual ports and groups of port in the solution.

• [REQ-26] The OIS provides visual feedback to show users which target system they are connected to, e.g. switch LEDs, screen banners, etc.

• [REQ-27] The OIS shall include the appropriate security controls as determined for mitigation of the security risks following the Risk Treatment Plan and the Security Requirements. (deliverable D4.4)

• [REQ-28] OIS solution shall provide complete assurance that no EUCI can be transferredbetween systems.

• [REQ-29] The OIS shall follow the designated security mode of operation. The system modeof operation is SYSTEM-HIGH, as defined in Appendix A of the European Council Securityrules (2013/488/EU); noting that this may be achieved through a combination of technicaland procedural measures proposed by the tenderer.


25

INSTALLATION REQUIREMENTS

26

• [REQ-30] The contractor shall provide the hardware and software required for the implementation of the requirements from the current document.However, the contractor may choose to reuse available IT hardware if compatible with its system(keyboards, mice, monitors). These are provided below:

‒ Monitor: HP LA2405 24" LCD

‒ Keyboard: HP 724720-031 and HP 434820-031

‒ Mouse: HP 674318-001

• [REQ-31] The contractor shall be responsible for the installation of the OIS and the roomfitting associated.

• [REQ-32] The contractor shall ensure best practices for Tempest are followed.

Installation requirements

27

SERVICE REQUIREMENTS

28

Activities OIS Contractor GSA/GSMC

Maintenance concept - Define maintenance concept- Management of maintenance

logbook- System & software maintenance

services- In charge of RMA and PHST- License management- Configuration management

N/A

L1 maintenance Provide L1 maintenance procedures In charge of execution of L1 maintenance procedures

L2 & L3 maintenance In charge of execution of L2/L3 maintenance procedures

N/A

Service requirements – summary (1/2)

29

SLA Type OIS Contractor

System SLA Core OIS technology

- 99.9% availability requirement per week - A maximum cumulative downtime of 2 (two) hours per week

or 1 (one) hour per day in any one incident

Peripheral device

- 99.5% availability requirement per year - A maximum downtime of no more than 1 (one) day in any

one incident

Support SLA URGENT Support /Review meeting

Via teleconference - Max 1 hour of a request by the GSA received by the

contractor’s designated PoC- Max 5 hours from the GSA’s request received by the

contractorOn-site- Next business day (9 a.m. to 5 p.m.) from the GSA’s request

in case of failure if there is a back-up solution - Max 16 hours within the next business day following the

business day of the GSA’s request received by the contractor.

Service requirements – summary (2/2)

30

• [REQ-33] In order to meet the service requirements specified in the [REQ-51] and [REQ-52], the contractor shall participate to an URGENT Support /Review meeting (with the objective of resuming service availability) for URGENT Anomalies/Service Incidents that are linked to the maintenance activities under its responsibility:

1. Via teleconference (unclassified)

1.1 within 1 (one) hour of a request by the GSA received by the contractor’s designated point of contact if there is no back-up solution in case of failure and in no case longer than 5 (five) hours from the GSA’s request received by the contractor

1.2 within the next business day (9 a.m. to 5 p.m.) from the GSA’s request in case of failure if there is a back-up solution but in no case longer than a delay of 16 (sixteen) hours within the next business day following the business day of the GSA’s request received by the contractor.

2. On site for GSMC-FR/GSMC-ES sites (if classified and not solved by teleconference) within the next business day (9 a.m. to 5 p.m.) from the GSA’s request but in no case longer than a delay of 16 (sixteen) hours within the next business day following the business day of the GSA’s request received by the contractor.

Note: An Anomaly/Service Incident is defined as URGENT if the Critical Services of the OIS are not available at System level. The main objectives of the URGENT Support/Review Meeting is to define and localise problems and to solve them.

Service requirements (1/7)

31

• [REQ-34] The contractor is responsible for the execution of the Level 2 preventive & corrective maintenance activities.The level 2 of the Maintenance and Support Service is based on specific skills or tools. The service incident characterisation is performed by the relevant technician, who will produce adequate data confirming the anomaly or failure provided tools & instructions are available. These services need to be provided in line with the requirements of availability subject to [REQ-51] and [REQ-52]. The updates and patches required to maintain accreditation are considered to be part of the L2 activities.

• [REQ-35] The contractor is responsible for execution of the Level 3 preventive & corrective maintenance activities Level 3 of the Maintenance and Support Service is requesting a high level of expertise and/or industrial tools (e.g. hardware equipment to be sent to the Provider premises).

Level 3 maintenance activities are typically performed at the industrial premises on faulty equipment, coming from the lower maintenance levels. Nevertheless, Level 3 activities could also be performed on the system’s operational sites. These services need to be provided in line with the requirements of availability subject to [REQ-51] and [REQ-52].


32

• [REQ-36] For maintenance and support activities which the contractor is not tasked to perform itself it shall provide to GSA the Level 1 maintenance and support procedures.

• [REQ-37] The contractor shall keep a Maintenance Logbook for all performed maintenanceand support activities that are under its responsibility.

• [REQ-38] The contractor in the Maintenance Logbook shall record as a minimum but not limited to:

• Description of maintenance procedure(s) performed

‒ Date of maintenance

‒ Hour of maintenance

‒ Location of the maintenance

‒ Element impacted

‒ Maintainer name

‒ Reference of the Ticket subject to the maintenance, if applicable


33

• [REQ-39] Using the Maintenance Logbook, the contractor shall be able to provide on a regular basis and upon request the status of maintenance activities performed on all or part of the OIS under its responsibility for a specified period of time.

• [REQ-40] The contractor’s staff (including subcontractors) shall have the security clearance required for performing the sensitive activities that are under contractor’s responsibility in line with the Contract (i.e. deployment, maintenance).

• [REQ-41] The contractor shall ensure that its staff (including subcontractors) performing services under the Contract are duly certified according to applicable GSMC host nation National Safety Standards.

• [REQ-42] The contractor shall nominate a system & software maintenance manager to be responsible for the management, execution and provision of all hardware system & software maintenance services, including the co-ordination and control of the hardware system & software maintenance services provided by any sub-contractor.

• [REQ-43] The contractor shall provide a corrective maintenance service allowing the correction of any detected non-conformance in the embedded software units (including COTS, if available), documentation or hardware items of the products forming part of the OIS.


34

• [REQ-44] The contractor shall prepare a proposal for implementation of evolutions in the embedded software units, documentation or hardware items of the products that can be activated upon GSA’s request (that will include requirement(s) to be implemented and the development plan constraints).

• [REQ-45] The contractor shall, upon request of the GSA, produce an Obsolescence Survey Report with a 2 (two) year sliding window, in order to characterise the expected end of life of all elements of the system including the support facilities.

• [REQ-46] The contractor will be in charge to manage RMA (Return Material Authorisation) process. When faulty item has to be returned, the contractor shall coordinate with GSA.

• [REQ-47] The contractor shall be in charge of OIS goods packaging, transportation, unpacking and reception.

• [REQ-48] The contractor shall manage asset configuration in agreement with the GSA.


35

• [REQ-49] The contractor shall provide all the initial required licenses for the equipment provided (part of Contract Baseline and option 1, respectively). The maintenance of the licenses after the system hand-over is considered part of the Level 2 Maintenance and support under the respective WP of the Contract.

• [REQ-50] The contractor may choose to oblige itself with providing for the OIS real time monitoring and auditing of the health of core components and connectors to support problem diagnosis and preventative maintenance under a pre-defined concept as part of its tender. The monitoring capability should be demonstrably separate from any user data channel, so that user data cannot be recorded in the monitoring logs.

• [REQ-51] The OIS should meet formal resilience objectives, using redundant hardware if necessary. Core OIS technology (switches, matrix, system connectors, and so on)

‒ 99.9% availability requirement per week

‒ A maximum cumulative downtime of 2 (two) hours per week or 1 (one) hour per day in any one incident


36

• [REQ-52] Peripheral device (workplace keyboard, video, mouse, smart card reader connections)

‒ 99.5% availability requirement per year

‒ A maximum downtime of no more than 1 (one) day in any one incident

Stocks of spare connectors for the connected systems and for the workplaces to supportthe resilience objectives.

• [REQ-53] The OIS shall provide recovery capabilities to support GSMC Business Continuity Planning. The OIS shall provide backup and restore capabilities to allow recovery of the system on replacement hardware, within 3 (three) hours from the downtime.


37

TRAINING REQUIREMENTS

38

• [REQ-54] The contractor shall provide training to GSA staff in the solution for Administrators to effectively manage the system.

• [REQ-55] The contractor shall propose a change management approach for the solution when there is no test environment.

• [REQ-56] The OIS shall restrict access to administration capabilities by:1. Authentication of administrators,2. Restriction of administration activities to a console or specific ports

• [REQ-57] The contractor shall provide training materials for workplace users that are adapted to the needs of GSMC, including its security practices.

Training requirements

39

OPTIONS:

1 – GSMC SITE IN SPAIN

2 – EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE FRANCE

3 – EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE SPAIN

40

Option 1:

GSMC SITE IN SPAIN

•OP1-WP1 Project Management

•OP1-WP2 Detailed design of the OIS

•OP1-WG3 Deployment of the OIS

•OP1-WP 4 Update of the accreditation documentation

•OP1-WP 5 Validation, tests and certification activities

•OP1-WP 6 Training

•OP1-WP 7 Preparation: Maintenance and support

•OP1-WP 8 Level 2 and Level 3 maintenance of the OIS

Option 2:

EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE FRANCE


•OP2-WP2 Evolving design of the OIS

•OP2-WP3 Deployment of the evolved OIS

•OP2-WP4 Validation, tests and certification activities

Option 3:

EXPANSION OF THE OIS INSTALLATION FOR THE GSMC SITE SPAIN


•OP3-WP2 Evolving design of the OIS

•OP3-WP3 Deployment of the evolved OIS

•OP3-WP4 Validation, tests and certification activities

Options

41

Maximum price: 950,000.00€

Including all options

Procurement budget

42

CONTRACT

43

TIMETABLE DATE Note

Launch of procurement process 01 February 2019

Deadline for submission of clarifications 23 April 2019

Last date on which clarifications are published by the GSA 26 April 2019

Deadline for submission of tenders 02 May 2019

Opening of tenders 10 May 2019

Evaluation of tenders June – July 2019 Estimated

Award decision July 2019 Estimated

Contract signature August 2019 Estimated

Project timeline

44

PARTICIPATION AND EVALUATION

45

• ALL entities (prime, consortium members, and subcontractors) must fulfil the exclusion criteria

complete Annex I.C.

Evaluation: exclusion criteria

46

• ALL entities (prime, consortium members, and subcontractors) must fulfil the selection criteria unless indicated otherwise.

‒ General requirement (authorisation to perform the services) all entities

‒ Specific participation conditions all entities

‒ PSC requirement all staff of all the entities that are planned to access above RESTREINT UE/EU RESTRICTED

‒ FSC requirement all entities

‒ Security Aspects letter all entities

‒ Appointed LSO all entities

‒ Absence of conflicting professional interest all entities (section 2.3.7.1.iii)

‒ Economic and financial capacity see p.46 (note: “core” subcontractor)

‒ Technical and professional capacity see p.47 (note: “core” subcontractor)

NOTE: Submit the evidence required for each capacity criterion (nb. the maximum age of supporting documents)

Evaluation: selection criteria

Legal capacity

47

ALL entities (prime, consortium members, and subcontractors) must fulfil the selection criteria unless indicated otherwise.

- Stable financial capacity tenderer & consortium members (Annex I.D)

- General turnover of : 450 kEURO tenderer & consortium members (Annex I.D)

- Specific turnover of operational interface systems : 250 kEuro tenderer & consortium members


Economic and financial capacity

48

The tenderer itself (for consortia, at least one consortium member individually) or at leastone subcontractor. Experience on:

- design of Operational Interface Systems classified at least SECRET UE / EU SECRET or NATO SECRET

- with the deployment configuration and validation of Operational Interface System classified at least SECRET UE / EU SECRET or NATO SECRET

- the maintenance and support of Operational Interface System classified at least SECRET UE / EU SECRET or NATO SECRET.

- in providing training courses for administrators and/or users of communication systems for processing classified information.


Technical and professional capacity

49

• Prime must fulfil the minimum requirements in section 3.3 of Annex I.

• In a consortium, prime submits on behalf of consortium.

Evaluation: minimum requirements

50

Ref no Qualitative award criteria Minimum points

Q1 Project and Risk Management 8

Q2 Design 5

Q3 Deployment 8

Q4 Accreditation documentation 8

Q5 Validation and tests 5

Q6 Training 5

Q7 Maintenance and support service 3

Q8 Commitment to fulfilling Service Level requirements (Annex I.I) 4

Q9 Assurance that the OIS can be maintained in future by a third party n/a

Evaluation: Qualitative award criteria

51

CONTRACT

52

• Contract Baseline:

• Option 1 – GSMC Site in Spain (GSMC-ES) (OP1)

• Option 2 - extension of OIS GSMC Site in France (OP2)

• Option 3 – extension of OIS GSMC Site in Spain (OP3)

• Activation of an option:

• See article I.2.6 of the draft Contract.

Direct Supply Contract

53

HOW TO PREPARE YOUR TENDER

54

• Documents must be submitted in accordance with double envelope system

Tender package composition

55

Outer Envelope

Inner Envelope

#1#2

#3

In accordance with tender specifications, section 4 of the Tender Specifications:

A. The Administrative files

B. The Technical Offer

C. The Financial Offer

Summary of the tenders

56

1. Signed cover letter2. Identification sheet3. Legal entity form4. Statement of authorisation5. Official evidence of the person authorised to signed on behalf of the company6. Financial identification form7. Financial statements 8. Declaration of honour 9. Appointment of Local security officer10. PSC certificates of the contractor’s personnel authorised to handle up to EU secret / secret UE

classified information11. Official document proving that economic operators (including all consortium members and any

proposed subcontractors) has an FSC to handle classified information up to EU Secret where so required under section 3.2.1, L4.

12. Required evidence and documentation with regard to the absence of a professional conflicting interest within the meaning of article 20.6 of Annex I of FR (L7).

13. Power of Attorney14. Submit subcontractor’s Letter of Intent

IMPORTANT: Always remember to duly sign and date the submitted document.

Administrative file

57

• Executive Summary (max 2 pages) on the Technical Offer (the summary should be signed and dated by an authorised representative);

• A statement of compliance for all requirements of Annexes I.D, partial and non-compliances shall be justified and credible alternative solutions proposed;

• A project management plan (for baseline and options) which shall at least contain a project schedule, a quality management strategy, a risk management strategy and a change management strategy.

• An approach for implementing the Operational Interface System (for baseline and options) as described in the technical terms of reference, Annexes I.B;

• An approach for performing each Operational Interface System work package (for baseline and options) as described in Annex I.B and how it intends to ensure the technical requirements and specifications;

• For each work package (for baseline and options), a description of how the technical requirements and specifications are implemented with clear reference to the technical requirement [REQ-No] in question.

• The Service Level Agreement (Annex I.I), duly filled in, stamped, dated and signed by the tenderer. The Service Level Agreement submitted by the successful tenderer shall become Annex II.VIII of the Draft Contract.

Technical Offer

58

• Tenderers should complete and sign Annex I.H – (template) Financial Offer.

• Any Overall Total Price quoted which exceeds EUR 950,000 (nine hundred fifty thousand euro) will result in exclusion of the tender.

Financial Offer

59

E-mail address: [email protected]

Tenders sent by express mail, commercial courier or post mail to

GSA Legal and Procurement Department Janovského 438/2, 170 00, Prague 7, Czech Republic Tender ref. GSA/OP/48/18

60

Tenders sent by hand-delivered should be addressed to the same postal address not later than 02 May 2019 at 17.00 (CET)

Submit requests for clarifications by: 23 April 2019

Submit tenders by: 02 May 2019

Contact coordinates for the tender

mailto:[email protected]

Q&A TIME

61

Linking space to user needs

62

GSA Twitter - @EU_GNSSEGNOS Twitter - @EGNOSPortal

GNSS Facebook page

GNSS YouTube Channel

GNSS Market, Research & Development

GSA Newsletter

GNSS Slideshare Page (presentations)

European GNSS Agency LinkedIn Page

www.GSA.europa.eu

How to get in touch:

https://twitter.com/eu_gnss

https://twitter.com/EGNOSPortal/

https://www.facebook.com/EuropeanGnssAgency/

https://www.youtube.com/user/egnos1

https://www.linkedin.com/groups/6957128

https://www.gsa.europa.eu/subscribe-gsa-today

http://www.slideshare.net/EU_GNSS

https://www.linkedin.com/company/european-gnss-agency

http://www.gsa.europa.eu/