1. Savings for the Nation Government e-Market Place II Pre-Procurement Market Engagement Nick Morris; August 2012 1

2. Savings for the Nation Agenda Introductions Government Procurement e-Enablement and e-Commerce Government e-Market Place Background Procurement Overview Proposed Timescale Proposed Statement of Requirements Security Requirements Next Steps 12/10/20142

3. 1.To support the definition of category strategies, the sourcing, procurement and the management of contracts & suppliers through appropriate use of technology, maximising the use of existing investment in departments whilst ensuring there is full coverage of technical support across the whole of Government Procurement; 2.Consider the integration of multiple existing e-Sourcing solutions for centralised procurement; 3.The management of technology to promote accessibility of central deals by customers across the whole of the public sector and facilitation of the reporting and analysis of procurement expenditure, contract and supplier performance across all Central Government users. eEnablement Strategic Goals 12/10/20143 Savings for the Nation

4. Large bullet points should be set in 18pt Arial 12/10/20144 Users Suppliers Government Procurement Portal Cabinet Office Corporate Website Secure access management Category Specific Tools eMarketplace eSourcing Tool Spend Analysis Contract Finder Solution Dynamic Marketplace Cognos Data Warehouse Technical Architecture

5. 12/10/20145 Single Web Portal designed and hosted in partnership with DirectGov ERP P2P ERP hosted by CG Depts Non ERP use PS Otis accessed via Website Specific Category Tools Punch Out \ Integration with Supplier Sites eg Hotels, Fleet, Appstore eMarketplace Catalogues for common goods eSourcing Tool Complex RFQ/RFP, Auctions, SRM & contract management Users Suppliers Spend Analysis Spend by Suppliers & agreed Category schematic Contract Finder Solution Opportunities, Contract award information ‘PSPES’ Replacement Solution Dynamic Marketplace eRFQ SME Registration and Quotation for sub EU tenders (services) The Government Open Procurement Portal ERP AP Enabling Technologies Target GPS Architecture

6. GPS Spend Analysis** For customer and supplier communications GPS eSourcing** Dept eSourcing tools Dept ERP / AP GPS eMarketplace* Dynamic eMarketplace* Category Specific Tools GPS Procurement Portal** GPS Procurement and Spend Reports and Dashboards Central Application Data Flow Order details Invoice details Contract details Supplier Management Contract Management Sourcing Linked Application For Central Contracts For Total Spend 6 For non-spend related analysis GPS Reporting Tool** For opportunity and contract award publication Contracts Finder* RFx and Contract data Cleansed Spend Data Catalogue details Enabling Technologies Target GPS Architecture *Live ** Being Implemented

7. Government e-Market Place Background Where Have We Come From Zanzibar Framework agreement Let August 2005 Managed by OGC Buying Solutions DWP Usage ERP Implementation Legacy Catalogue Hosting Current Position Catalogue Non-Catalogue E-RFQ Future Direction Ge-M II Savings for the Nation

8. Completed Consultation with other Government Departments and Wider Public Sector organisations including cross-Government senior stakeholders; minimum requirements identified and agreed by ESAB. PIN notice issued 22 Nd June 2012 Strategy developed and incorporated into a business case Consultation with GP IAO Pre-procurement market engagment event 1 st August 2012 12/10/20148 Procurement Overview

9. Savings for the Nation Moving Forward – Provisional Timescales Review supplier feedback – by 6 th August Stakeholder engagment & requirements gathering exercise – w/c 13 th August Draft OJEU and issue – September 2012 Tender Issue date - Late September / October 2012 ITT return – 5 th November 2012 Evaluation period – 12 th November – 10 th December 2012 Mandatory standstill start date w/c 17 th December 2012 Contract award – end of January 2013 12/10/20149 Proposed Timescales

10. Savings for the Nation Minimum Statement of Requirements 12/10/201410 Government e-Market Place II

11. Savings for the Nation Mandatory Services Content Management system – UNSPSC data mapping; catalogue workflows; rich data content with live links to supplier data Hosted Catalogue Management Services – catalogue search and compare; permission views local/global; supplier registration workflow [self service]; bulk upload / supplier adoption; DUNS Purchase to Payment lite – integrated / non integrated end user; backward compatible IE6; integration to other e-systems; end user support; MI tool and standard reporting; spend analysis and SUM reporting 12/10/201411 Government e-Market Place II

12. Savings for the Nation Mandatory Security Requirements Systems and accreditation IL 1; 3 and 4 GSi Hub CJX Hub N3 Hub NHS supply chain secure XML Firewall Security cleared personnel 12/10/201412 Government e-Market Place II

13. Savings for the Nation Dynamic RFQ functionality Non-complex ; low risk; sub-OJEU requirements quick turn around secure GP central category strategies Public Sector opportunities for SME 12/10/201413 Government e-Market Place II

14. Savings for the Nation Commercial model Modularised delivery Cost effective End user selection of component parts to fit requirements VfM Sector Wide 12/10/201414 Government e-Market Place II

15. Savings for the Nation Government e-Market Place II Mandatory Services Content management system Data mapping to UNSPSC Catalogue workflows Rich data content with live links to supplier data Hosted catalogue management services Catalogue search and compare functionality Permission views local / global Supplier registration workflows [self service] Bulk upload – supplier adoption DUNS identifier Purchase to Payment lite Integrated / non-integrated – end user Backward compatible to IE6 Integration to other e-systems End user support MI tool and standard reporting Spend analysis and SUM reporting Mandatory Security Requirements Systems and associated accreditation IL 1; 3 and 4 GSi Hub CJX Hub N3 Hub NHS supply chain secure XML Firewall Security cleared personnel Dynamic RFQ functionality for sub OJEU requirements GP central category strategies 12/10/201415 Commercial model Modularised delivery Cost effective End user selection of component parts to fit requirements VfM Sector wide

16. Savings for the Nation Information Assurance & RMADS Accreditation Amanda Squire, August 2012 12/10/201416

17. Security Policy Framework Cabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/ MR 8 All ICT systems that handle, store and process protectively marked information or business critical data, or that are interconnected to cross-government networks or services (e.g. The Government Secure Intranet, GSI), must undergo a formal risk assessment to identify and understand relevant technical risks; and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. 12/10/201417

18. 12/10/201418 Security Policy Framework Cabinet Office website: http://www.cabinetoffice.gov.uk/content/government-security/ MR 9 Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems, proportionate to the value, importance and sensitivity of the information held and the requirements of any interconnected systems. 12/10/201418

19. HMG Information Assurance Standards CESG Information Assurance Policy Portfolio www.cesg.gov.ukwww.cesg.gov.uk IS1&2 – Information Risk Assessment IS4 – Management of Cryptographic Systems IS5 – Secure Sanitisation IS6 – Protecting Personal Data & Managing Information Risk IS7 – Authentication of Internal Users of ICT Systems Handling Government Information 12/10/201419 Only IS1 Technical Risk Assessment, Business Impact Levels & the IS1 Risk Tool are available on the public website at this time.

20. 12/10/201420 CESG Technical Guidance CESG Information Assurance Policy Portfolio www.cesg.gov.ukwww.cesg.gov.uk GPGs – Good Practice Guides Cryptographic Standards Developers’ Notes Implementation Guides Architectural Patterns CESG Security Procedures Technical Threat Briefings CESG IA Notices On Contract Award, IT Security Managers should contact enquiries@cesg.gsi.gov.uk quoting Government Procurement Service as the sponsoring organisationenquiries@cesg.gsi.gov.uk

21. HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 8 Departments & Agencies must assess the technical risks to the Confidentiality, Integrity and Availability of their ICT systems or services. A technical risk assessment must be conducted at the start of all HMG ICT projects or programmes, and must be refined to reflect any change. The findings of all technical risk assessment must be reviewed at least annually to identify any changes to threat, vulnerability or impact. Supports MR 8 of the SPF 12/10/201421

22. 12/10/201422 HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 13 The findings of the technical risk assessment must inform and substantiate the selection, and implementation approach of the controls used to treat the identified technical risks. The approach to selection and implementation must be endorsed by the Accreditor or their delegated authority. Supports MR 9 of the SPF

23. 12/10/201423 HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 14 The risk treatment plan must include as a minimum the mandatory protective controls from the SPF, HMG IA Standards and other relevant Tier 4 policy documents. Supports MR 9 of the SPF

24. 12/10/201424 HMG Information Assurance Standards IS1 & 2 – Information Risk Assessment Risk Management Requirement 15 By default every HMG Information system or service with a Business Impact Level (IL) of 3 or above for either: Confidentiality, Integrity or Availability, must implement the full set of controls as defined in the Baseline Control Set of the supplement to this standard.

25. 12/10/201425 Baseline Control Set IS1-2 Supplement, Appendix A Aligned to ISO27001 Control References 5 to 15 DETER level guidance for IL2/3 Suitable to treat all risks up to and including Medium Risks identified as Medium-High or High must have additional mitigation in place

26. 12/10/201426 RMADs Accreditation Risk Management & Accreditation Document Set The confidence that the risks to information systems are being properly managed is known as Information Assurance (IA), and the formal assessment of an information system against its IA requirements is known as accreditation. All ICT systems or services that process, handle or store protectively marked or personal [or sensitive] Government information must be accredited using IAS 1-2 and reviewed annually. (eg >= IL 2) Accreditation is the business process for managing information risk of ICT systems and services

27. 12/10/201427 RMADs Accreditation Accreditation Stages The accreditation process must start as early as possible. Initial requirements identified at Stage 0. Preliminary process started by Stage 1 Process starts around Stage 3. Accreditation approval Stage 4. Accreditation maintenance – Situation Awareness Stage 5 End of life – Decommissioning Stage 6

28. 12/10/201428 RMADs Accreditation Accreditation Stages 1.Project Initiation – meet SRO/PM; agree Risk Owner (SIRO); set C, I and A business impact levels; agree risk tolerance based on Government Procurement Service risk appetite. 2.Set up IA management team – agree accreditation plan. 3.Draft RMADS and initial IAS1 risk assessment – approved by Accreditor. 4.Technical Security Architecture defined – approved by Accreditor and/or CESG Design Review. 5.System built. 6.Physical, procedural, personnel and technical (P 3 T) inspections including ITHC – consolidated risk register 7.User Acceptance Testing 8.SIRO acceptance of residual risk and RMADs accreditation sign off. 9.Annual security review (including ITHC) and re-accreditation 10.Decommission

29. Approaches to the risk management and accreditation of interconnections will vary depending on complexity, however in all cases need a formal agreement on the interconnection is required. Approaches may include: A Code of Connection (CoCo, eg PSN) for a single point to point connection; A Community Security Policy (CSP) defining the mandatory security requirements for connection to a community of interconnected systems or services; Shared service agreements – develop trust between shared IA managers; The Accreditation approach for the required interconnections will be agreed following contract award when the proposed solution is known. 12/10/201429 RMADs Accreditation Interconnections – PSN, CJX, N3

30. 12/10/201430 RMADs Accreditation Outsourcing & Offshoring Host environments, data centres and other ICT services supplied by third parties/sub-contractors may also require accreditation. GPG6 – Outsourcing & Offshoring: Managing the Security Risks Supplementary controls for systems in addition to those in ISO27001 A detailed risk assessment must be performed prior to transitioning service delivery to an external third party The service provider is required to operate the contract in accordance with UK law, the SPF and all associated standards and guidance

31. 12/10/201431 RMADs Accreditation Overview of Contents Section 1: Accreditation Status Accreditation Statement Accreditation History Links & Dependencies Register of Applicable Legislation Section 2: Basic Information Business Context Description of Service Information Asset List Interconnections & Interfaces Accreditation Scope Responsibilities & Functions Accreditation Review Process

32. 12/10/201432 RMADs Accreditation Overview of Contents - continued Section 3: Information Risk Management Corporate Risk Environment Business Impact Statement Technical Risk Assessment (IS1) & Risk Register Risk Treatment Plan Implementation Plan Assurance Plan Residual Risk Assessment & Gap Analysis Section 4: Development, Acceptance & In- Service Information Risk Management Plan (Security Case) Results of IA Verification, Testing and Inspections (including ITHC) Security Operations Procedures (SyOps) Incident Management, Reporting & Response (including BCP) Decommissioning and Disposal Procedures

33. 12/10/201433 RMADs Accreditation For specific technical and functional requirements please contact the Government eMarketplace II procurement team Successful bidders are strongly advised to engage a CLAS (CESG Listed) Consultant on Contract Award to assist with the RMADs process

34. Savings for the Nation Next Steps High Level Specification available online – W/C 13 th August 2012 http://gps.cabinetoffice.gov.uk/i-am-supplier/supplier-industry- days Any questions or queries prior to issue of OJEU email them to Ge-M-II@gps.gsi.gov.uk 12/10/201434