Government e-Market Place II

tansygoobertownInternet and Web Development

Dec 8, 2013 (3 years and 7 months ago)

76 views

Savings for the Nation

Government e
-
Market Place II

Pre
-
Procurement Market Engagement

Nick Morris; August 2012

1

Savings for the Nation

Agenda


Introductions


Government Procurement e
-
Enablement and e
-
Commerce


Government e
-
Market Place Background


Procurement Overview


Proposed Timescale


Proposed Statement of Requirements


Security Requirements


Next Steps



08/12/2013

2

1.
To

support

the

definition

of

category

strategies,

the

sourcing,

procurement

and

the

management

of

contracts

&

suppliers

through

appropriate

use

of

technology,

maximising

the

use

of

existing

investment

in

departments

whilst

ensuring

there

is

full

coverage

of

technical

support

across

the

whole

of

Government

Procurement
;


2.
Consider

the

integration

of

multiple

existing

e
-
Sourcing

solutions

for

centralised

procurement
;



3.
The

management

of

technology

to

promote

accessibility

of

central

deals

by

customers

across

the

whole

of

the

public

sector

and

facilitation

of

the

reporting

and

analysis

of

procurement

expenditure,

contract

and

supplier

performance

across

all

Central

Government

users
.


eEnablement Strategic Goals

08/12/2013

3

Savings for the Nation


Large bullet points should be set in 18pt Arial


Large bullet points should be set in 18pt Arial


Large bullet points should be set in 18pt Arial


Large bullet points should be set in 18pt Arial


Large bullet points should be set in 18pt Arial


Large bullet points should be set in 18pt Arial

08/12/2013

4

Users

Suppliers

10
The Government
Procurement
Portal
Catalogues
PROTECT
-
IL1
Government

Procurement Portal

Cabinet Office

Corporate Website

Secure access management

Category Specific Tools



eMarketplace

eSourcing Tool

Spend Analysis

Contract Finder Solution

Dynamic Marketplace

Cognos Data Warehouse

Technical Architecture

08/12/2013

5

Single Web Portal designed and hosted in

partnership with DirectGov

ERP

P2P

ERP hosted
by CG Depts


Non ERP
use PS Otis
accessed
via Website

Specific Category Tools

Punch Out
\

Integration with Supplier

Sites eg Hotels, Fleet, Appstore


eMarketplace


Catalogues for

common goods



eSourcing Tool

Complex RFQ/RFP, Auctions, SRM

& contract management

Users

Suppliers

Spend Analysis

Spend by Suppliers & agreed

Category schematic

Contract Finder Solution

Opportunities,

Contract award information

‘PSPES’

Replacement

Solution

Dynamic Marketplace eRFQ

SME Registration and Quotation


for sub EU tenders (services)

10
The Government
Procurement
Portal
Catalogues
PROTECT
-
IL1
The Government Open

Procurement Portal

ERP

AP

Enabling Technologies Target GPS Architecture

GPS Spend Analysis**



For customer and supplier communications

GPS
eSourcing
**



Dept eSourcing
tools


Dept ERP / AP



GPS
eMarketplace
*



Dynamic
eMarketplace
*



Category Specific Tools



GPS Procurement Portal**



GPS Procurement

and Spend Reports and Dashboards

Central Application

Data Flow

Order
details


Invoice
details


Contract
details


Supplier
Management

Contract
Management

Sourcing

Linked Application

For Central Contracts

For Total Spend

6

For non
-
spend
related analysis

GPS
Reporting
Tool**

For opportunity
and contract
award publication

Contracts
Finder*

RFx and

Contract

data

Cleansed
Spend

Data


Catalogue

details


Enabling Technologies Target GPS Architecture

*
Live

**
Being Implemented

Government e
-
Market Place Background


Where Have We Come From


Zanzibar Framework agreement


Let August 2005


Managed by OGC Buying Solutions


DWP Usage


ERP Implementation


Legacy Catalogue Hosting



Current Position


Catalogue


Non
-
Catalogue E
-
RFQ



Future Direction


Ge
-
M II





Savings for the Nation

Savings for the Nation


Completed



Consultation with other Government Departments and Wider Public
Sector organisations including cross
-
Government senior stakeholders;
minimum requirements identified and agreed by ESAB.



PIN notice issued 22
Nd

June 2012



Strategy developed and incorporated into a business case



Consultation with GP IAO



Pre
-
procurement market engagment event 1
st
August 2012





08/12/2013

8

Procurement Overview

Savings for the Nation



Moving Forward


Provisional Timescales


Review supplier feedback


by 6
th

August


Stakeholder engagement & requirements gathering exercise


w/c 13
th

August


Draft OJEU and issue


November 2012


ITT return


Mid to end January 2013


Evaluation period


February 2012


Contract award


April 2012





08/12/2013

9

Proposed Timescales

Savings for the Nation




Minimum Statement of
Requirements

08/12/2013

10

Government e
-
Market Place II

Savings for the Nation

Mandatory Services

Content

Management

system



UNSPSC

data

mapping
;

catalogue

workflows
;

rich

data

content

with

live

links

to

supplier

data


Hosted

Catalogue

Management

Services



catalogue

search

and

compare
;

permission

views

local/global
;

supplier

registration

workflow

[self

service]
;

bulk

upload

/

supplier

adoption
;

DUNS


Purchase

to

Payment

lite



integrated

/

non

integrated

end

user
;

backward

compatible

IE
6
;

integration

to

other

e
-
systems
;

end

user

support
;

MI

tool

and

standard

reporting
;

spend

analysis

and

SUM

reporting



08/12/2013

11

Government e
-
Market Place II

Savings for the Nation

Mandatory Security Requirements


Systems and accreditation


IL 1; 3 and 4

GSi Hub

CJX Hub

N3 Hub

NHS supply chain secure

XML Firewall

Security cleared personnel


08/12/2013

12

Government e
-
Market Place II

Savings for the Nation

Dynamic RFQ functionality


Non
-
complex ; low risk; sub
-
OJEU requirements


quick turn around


secure


GP central category strategies


Public Sector opportunities for SME

08/12/2013

13

Government e
-
Market Place II

Savings for the Nation

Commercial

model



Modularised

delivery


Cost

effective



End

user

selection

of

component

parts

to

fit

requirements


VfM



Sector

Wide

08/12/2013

14

Government e
-
Market Place II

Savings for the Nation

Government e
-
Market Place II



Mandatory Services

Content management system

Data mapping to UNSPSC

Catalogue workflows

Rich data content with live links to supplier
data


Hosted catalogue management services

Catalogue search and compare functionality

Permission views local / global

Supplier registration workflows [self service]

Bulk upload


supplier adoption

DUNS identifier


Purchase to Payment lite

Integrated / non
-
integrated


end user

Backward compatible to IE6

Integration to other e
-
systems

End user support

MI tool and standard reporting

Spend analysis and SUM reporting




Mandatory Security
Requirements

Systems and associated
accreditation

IL 1; 3 and 4

GSi Hub

CJX Hub

N3 Hub

NHS supply chain secure

XML Firewall

Security cleared personnel



Dynamic RFQ
functionality
for sub OJEU
requirements

GP central category
strategies

08/12/2013

15

Commercial model

Modularised delivery

Cost effective

End user selection of component parts to fit requirements

VfM


Sector wide

Savings for the Nation

Information Assurance & RMADS
Accreditation

Amanda Squire, August 2012

08/12/2013

16

Security Policy Framework

Cabinet Office website:
http://www.cabinetoffice.gov.uk/content/government
-
security/

MR 8

All

ICT

systems

that

handle,

store

and

process

protectively

marked

information

or

business

critical

data,

or

that

are

interconnected

to

cross
-
government

networks

or

services

(e
.
g
.

The

Government

Secure

Intranet,

GSI),

must

undergo

a

formal

risk

assessment

to

identify

and

understand

relevant

technical

risks
;

and

must

undergo

a

proportionate

accreditation

process

to

ensure

that

the

risks

to

the

confidentiality,

integrity

and

availability

of

the

data,

system

and/or

service

are

properly

managed
.


08/12/2013

17

08/12/2013

18

Security Policy Framework

Cabinet Office website:
http://www.cabinetoffice.gov.uk/content/government
-
security/

MR 9

Departments

and

Agencies

must

put

in

place

an

appropriate

range

of

technical

controls

for

all

ICT

systems,

proportionate

to

the

value,

importance

and

sensitivity

of

the

information

held

and

the

requirements

of

any

interconnected

systems
.


08/12/2013

18

HMG Information Assurance Standards

CESG Information Assurance Policy Portfolio
www.cesg.gov.uk



IS1&2


Information Risk Assessment


IS4


Management of Cryptographic Systems


IS5


Secure Sanitisation


IS6


Protecting Personal Data & Managing
Information Risk


IS7


Authentication of Internal Users of ICT
Systems Handling Government Information

08/12/2013

19

Only IS1 Technical Risk Assessment, Business Impact Levels & the IS1 Risk Tool are
available on the public website at this time.

08/12/2013

20

CESG Technical Guidance

CESG Information Assurance Policy Portfolio
www.cesg.gov.uk



GPGs


Good Practice Guides


Cryptographic Standards


Developers’ Notes


Implementation Guides


Architectural Patterns


CESG Security Procedures


Technical Threat Briefings


CESG IA Notices

On Contract Award, IT Security Managers should contact
enquiries@cesg.gsi.gov.uk

quoting Government Procurement Service as the sponsoring organisation

HMG Information Assurance Standards

IS1 & 2


Information Risk Assessment

Risk Management Requirement 8

Departments & Agencies must assess the technical risks to the Confidentiality,
Integrity and Availability of their ICT systems or services. A technical risk
assessment
must

be conducted at the start of all HMG ICT projects or
programmes, and
must

be refined to reflect any change. The findings of all
technical risk assessment
must

be reviewed at least annually to identify any
changes to threat, vulnerability or impact.

Supports MR 8 of the SPF

08/12/2013

21

08/12/2013

22

HMG Information Assurance Standards

IS1 & 2


Information Risk Assessment

Risk Management Requirement 13

The

findings

of

the

technical

risk

assessment

must

inform

and

substantiate

the

selection,

and

implementation

approach

of

the

controls

used

to

treat

the

identified

technical

risks
.

The

approach

to

selection

and

implementation

must

be

endorsed

by

the

Accreditor

or

their

delegated

authority
.

Supports MR 9 of the SPF

08/12/2013

23

HMG Information Assurance Standards

IS1 & 2


Information Risk Assessment

Risk Management Requirement 14

The

risk

treatment

plan

must

include

as

a

minimum

the

mandatory

protective

controls

from

the

SPF,

HMG

IA

Standards

and

other

relevant

Tier

4

policy

documents
.

Supports MR 9 of the SPF

08/12/2013

24

HMG Information Assurance Standards

IS1 & 2


Information Risk Assessment

Risk Management Requirement 15

By

default

every

HMG

Information

system

or

service

with

a

Business

Impact

Level

(IL)

of

3

or

above

for

either
:

Confidentiality,

Integrity

or

Availability,

must

implement

the

full

set

of

controls

as

defined

in

the

Baseline

Control

Set

of

the

supplement

to

this

standard
.

08/12/2013

25

Baseline Control Set

IS1
-
2 Supplement, Appendix A


Aligned to ISO27001 Control References 5 to 15


DETER level guidance for IL2/3


Suitable to treat all risks up to and including Medium


Risks identified as Medium
-
High or High must have additional mitigation in place


08/12/2013

26

RMADs Accreditation

Risk Management & Accreditation Document Set



The

confidence

that

the

risks

to

information

systems

are

being

properly

managed

is

known

as

Information

Assurance

(IA),

and

the

formal

assessment

of

an

information

system

against

its

IA

requirements

is

known

as

accreditation
.




All

ICT

systems

or

services

that

process,

handle

or

store

protectively

marked

or

personal

[or

sensitive]

Government

information

must

be

accredited

using

IAS

1
-
2

and

reviewed

annually
.

(eg

>=

IL

2
)




Accreditation

is

the

business

process

for

managing

information

risk

of

ICT

systems

and

services




08/12/2013

27

RMADs Accreditation

Accreditation Stages


The accreditation process must start as
early as possible.


Initial requirements identified at Stage
0.


Preliminary process started by Stage 1


Process starts around Stage 3.


Accreditation approval Stage 4.


Accreditation maintenance


Situation
Awareness Stage 5


End of life


Decommissioning Stage 6

08/12/2013

28

RMADs Accreditation

Accreditation Stages

1.
Project Initiation


meet SRO/PM; agree Risk Owner (SIRO); set C, I
and A business impact levels; agree risk tolerance based on
Government Procurement Service risk appetite.

2.
Set up IA management team


agree accreditation plan.

3.
Draft RMADS and initial IAS1 risk assessment


approved by Accreditor.

4.
Technical Security Architecture defined


approved by Accreditor and/or
CESG Design Review.

5.
System built.

6.
Physical, procedural, personnel and technical (P
3
T)
inspections
including ITHC


consolidated risk register

7.
User Acceptance Testing

8.
SIRO acceptance of residual risk and RMADs accreditation sign off.

9.
Annual security review (including ITHC) and re
-
accreditation

10.
Decommission








Approaches to the risk management and accreditation of interconnections will
vary depending on complexity, however in all cases need a formal agreement
on the interconnection is required.

Approaches may include:

• A Code of Connection (
CoCo
,
eg

PSN) for a single point to point
connection;

• A Community Security Policy (CSP) defining the mandatory security
requirements for connection to a community of interconnected systems or
services;

• Shared service agreements


develop trust between shared IA
managers;

The Accreditation approach for the required interconnections will be
agreed following contract award when the proposed solution is known.

08/12/2013

29

RMADs Accreditation

Interconnections


PSN, CJX, N3

08/12/2013

30

RMADs Accreditation

Outsourcing & Offshoring


Host environments, data centres and other ICT services supplied by third
parties/sub
-
contractors may also require accreditation.



GPG6


Outsourcing & Offshoring: Managing the Security Risks


Supplementary controls for systems in addition to those in ISO27001


A detailed risk assessment must be performed prior to transitioning service
delivery to an external third party


The service provider is required to operate the contract in accordance with
UK law, the SPF and all associated standards and guidance



08/12/2013

31

RMADs Accreditation

Overview of Contents


Section 1: Accreditation Status


Accreditation Statement


Accreditation History


Links & Dependencies


Register of Applicable Legislation







Section 2: Basic Information


Business Context


Description of Service


Information Asset List


Interconnections & Interfaces


Accreditation Scope


Responsibilities & Functions


Accreditation Review Process



08/12/2013

32

RMADs Accreditation

Overview of Contents
-

continued


Section 3: Information Risk Management


Corporate Risk Environment


Business Impact Statement


Technical Risk Assessment (IS1) &
Risk Register


Risk Treatment Plan


Implementation Plan


Assurance Plan


Residual Risk Assessment & Gap
Analysis




Section 4: Development, Acceptance & In
-
Service


Information Risk Management Plan
(Security Case)


Results of IA Verification, Testing and
Inspections (including ITHC)


Security Operations Procedures
(
SyOps
)


Incident Management, Reporting &
Response (including BCP)


Decommissioning and Disposal
Procedures


08/12/2013

33

RMADs Accreditation


For specific technical and functional requirements please contact the
Government
eMarketplace

II procurement team


Successful bidders are strongly advised to engage a CLAS (CESG Listed)
Consultant on Contract Award to assist with the RMADs process




Savings for the Nation

Next Steps


High Level Specification available online


W/C 13
th

August 2012

http://gps.cabinetoffice.gov.uk/i
-
am
-
supplier/supplier
-
industry
-
days

Any questions or queries prior to issue of OJEU email them to

Ge
-
M
-
II@gps.gsi.gov.uk



08/12/2013

34