Request for Proposal (RFP) for Selection of Agency for Cloud Management Office (CMO)

(1)

Request for Proposal (RFP)

for

Selection of Agency for

Cloud Management Office (CMO)

Department of Information Technology

Electronics Niketan, 6, CGO Complex

New Delhi-110 003

XXXX September 2015

(2)

(3)

Contents

GLOSSARY ... 5

1. BACKGROUND... 7

2. PURPOSE OF THE RFP ... 14

3. RFP ISSUING AUTHORITY ... 15

4. TENTATIVE CALENDAR OF EVENTS ... 16

5. SCOPE OF WORK ... 17

6. DELIVERABLE PREPARATION METHODOLOGY ... 37

7. GOVERNANCE STRUCTURE AND ACCEPTANCE OF DELIVERABLES ... 39

8. RESOURCE REQUIREMENTS ... 41 9. PROJECT TIMELINES ... 44 10. PAYMENT SCHEDULE ... 47 11. INSTRUCTIONS TO BIDDERS ... 49 12. PROCESS OF EVALUATION... 59 13. GENERAL CONDITIONS ... 66 ANNEXURE 1 ... 71

DOMAINS & CRITICAL AREAS TO BE ADDRESSED ... 71

ANNEXURE 2 ... 72

PRE-QUALIFICATION CRITERIA ... 72

ANNEXURE 3 ... 73

FORM FOR SUBMISSION OF PREQUALIFICATION INFORMATION ... 73

ANNEXURE 4 ... 76

METHODOLOGY FOR EVALUATION OF TECHNICAL PROPOSAL ... 76

ANNEXURE 5 ... 79

FORM FOR SUBMISSION OF TECHNICAL BID ... 79

ANNEXURE 6 ... 81

FORM FOR SUBMISSION OF FINANCIAL BID ... 81

ANNEXURE 7 ... 83

REQUEST FOR CLARIFICATION FORMAT ... 83

ANNEXURE 8 ... 84

RFP RESPONSE COVER LETTER ... 84

ANNEXURE 9 ... 87

UNDERTAKING ON ABSENCE OF CONFLICT OF INTEREST ... 87

ANNEXURE 10 ... 89

FORMAT FOR PREVIOUS PROJECT EXPERIENCE ... 89

ANNEXURE 11 ... 90

FORMAT FOR PROFILE SUMMARY & PROFILES ... 90

ANNEXURE 12 ... 91

(4)

(5)

Glossary

(6)

(7)

1.

Background

MeghRaj Policy of Government of India

Cloud Computing Services provide the new model of offering services (including IaaS, PaaS and SaaS) to the users at fast pace which is also cost effective. In order to utilize and harness the benefits of Cloud Computing, Government of India has embarked upon a very ambitious and important initiative – “GI Cloud” which has been coined as MeghRaj. The focus of this initiative is to evolve a strategy and implement various components including governance mechanism to ensure proliferation of Cloud in government.

DeitY has announced MeghRaj Policy to provide strategic direction for adoption of cloud services by the Government (http://deity.gov.in/content/gi-cloud-initiative-meghraj). The aim of the cloud policy is to realize a comprehensive vision of a government private cloud environment available for use by central and state government line departments, districts and municipalities to accelerate their ICT-enabled service improvements. MeghRaj policy of Deity states that “Government departments at the Centre and States to first evaluate the option of using the GI Cloud for implementation of all new projects funded by the government. Existing applications, services and projects may be evaluated to assess whether they should migrate to the GI Cloud.”

As per the MeghRaj policy, it is proposed to:

a. Setup GI Cloud: GI Cloud, Government of India’s cloud computing environment, will be a set of discrete cloud computing environments spread across multiple locations, built on existing or new (augmented) infrastructure, following a set of common protocols, guidelines and standards issued by the Government of India. The GI Cloud services will be published through a GI Cloud Services Directory. The GI Cloud environment is envisaged to be initially established – building on the infrastructure investments already made or augmentation of the same – by the creation of discrete cloud computing environments at the national and state levels termed as ‘National Clouds’ and ‘State

(8)

Clouds’ respectively. Based on the demand and taking into account security related considerations, government proposes to engage the services of private cloud providers.

b. Create eGov AppStore: eGov AppStore will include the setting up of a common platform on National Clouds to host and run applications, developed by government agencies or private players, which are easily customisable and configurable for reuse by various government agencies or departments at the central and state levels without investing effort in the development of such applications.

c. Publish through GI Cloud Services Directory: The GI Cloud services and the applications in eGov AppStore will be published through a single GI Cloud Services Directory for use by government departments or agencies at the Centre and States.

Implementation Strategy

Implementing the MeghRaj Policy to realize the GI Cloud Services and facilitate adoption of GI Cloud services by the end user departments requires multi-pronged approach.

a. Identification of the relevant Standards and development of the required guidelines

Below diagram provides the high-level view of the cloud ecosystem with the various actors along with the indicative roles.

(9)

The cloud providers would require the common standards & guidelines on the security, interoperability, data portability, SLAs, contractual terms & conditions, service definitions that they would need to adhere to in order to be part of the GI Cloud environment.

From a cloud consumer perspective, the consumers would require guidelines on selecting a cloud service provider within the GI Cloud Services Directory, guidelines on integrating the cloud services with the internal IT systems and the recommended contractual terms & conditions along with the service levels that will have to be executed between the cloud consumer and the cloud service provider.

The below diagram depicts the need for various guidelines / standards from the stakeholder perspective.

(10)

In order to realize the policy and facilitate cloud services’ adoption by the Center and States, there is a need to define the GI Cloud Reference Architecture, identify the common standards and service definitions; develop guidelines with respect to security, service delivery, interoperability and portability that the cloud service providers (CSPs) will have to adhere to, for the departments to leverage cloud services.

b. Facilitate Setting up of GI Cloud

Once the standards and guidelines are published, the Cloud Service Providers will need to get accredited by DeitY to become part of the GI Cloud. The accreditation of offered cloud services will require certification of compliance to the published standards and guidelines. It is expected that the audit of cloud services to verify the compliance will be carried out by the cloud auditors. The cloud auditors will be accredited / empaneled through an accreditation / empanelment process and will have to adhere to the audit guidelines that will be published by DeitY.

(11)

c. Capacity Building of the end-user departments

There is a key need to create the awareness of these initiatives in the user departments, showcase the advantages of migrating to cloud services and ways to address the potential risks for faster adoption of the policy. The departments will also need considerable handholding support in navigating the applicable standards & guidelines and migrating to the cloud services. Further, the capacity building initiatives need to be taken up at the department level to enhance the capabilities of the department to procure & manage the contracts with the cloud service providers.

Cloud Management Office (CMO)

To facilitate the implementation of the MeghRaj policy and realize its vision, DeitY proposes to setup a Cloud Management Office (CMO) that will take a lead role in operationalizing the cloud initiative. CMO will help in setting up of an ecosystem for GI Cloud leading to faster implementation of the cloud policy to realize the intended benefits of GI Cloud. The end objective of the CMO is to facilitate publishing of GI Cloud services through a single GI Cloud Services Directory and enable end user government departments, both at the Centre and States, leverage the cloud services.

(12)

Cloud Management Office (CMO) - Concept of Operations D ei tY A rc h it ec tu re M an ag em en t G ro u p ( A M G ) E & A G Sa aS , C SP A u d it o rs C en tr al / St at e D ep ts . G I C lo u d P o rt al an d D ir ec to ry A ge n cy C SP / S aa S O ff er in gs P ro vi d er

Accredits the SaaS Offerings & CSP

Offerings

View the details of CSP Offerings & SaaS

Offerings in the Directory

Add SaaS Offerings and CSP Offerings to

GI Cloud Directory

Select CSP Offerings and SaaS Offerings

Apply Model SLAs, Model Contracts etc. Accredits Auditors Reference Architecture, Standards, Specifications and Frameworks Verify the credentials of the prospective Auditor as per Guidelines Recommend for Accreditation Start Audit CSP Offerings & SaaS Offerings for adherence to

Standards.& Processes Select Accredited Auditor

Verify the Audit Findings Submit for verification

Recommend for Accreditation

Start Auditor Accreditation Guidelines & Processes (CSP Offerings / SaaS

Offerings)

CSP / SaaS Offering Accreditation Guidelines & Processes

Training Curriculum, Content and Plan Guidelines, Model SLAs

and Model Contracts

Start Apply for Accreditation End End End

While under the overall architecture, the Cloud Management Office (CMO) will operate across three verticals, the responsibility of the Agency selected under this RFP will be a sub-set of activities as indicated below:

1. Architecture Management Group (AMG) with the responsibility of Identification of the relevant Standards, Develop Specifications & Frameworks and Formulate the required guidelines.

(13)

2. Empanelment and Accreditation Group (E&AG) with the responsibility of accreditation the Cloud Auditors and Accreditation of Services offered by the Cloud Service Providers. E&AG will assist in overall program management of the cloud initiatives in DeitY and more importantly assisting in operationalizing the accreditation processes for the auditors, offerings of cloud service providers and offerings from SaaS providers.

Responsibility of the Agency selected under this RFP: Preparation of guidelines, RFPs, contracts and other artifacts required for the accreditation / empanelment of cloud & SaaS auditors and accreditation of services offered by cloud service providers.

Deity will undertake the Accreditation process as a separate activity.

3. Capacity Building & Advisory Services Group (CB&AG) with the responsibility of creating awareness about the cloud initiative and assisting the end user departments in migrating to the GI Cloud.

Responsibility of the Agency selected under this RFP: Preparation of training material, artifacts and delivery of training to the trainers.

Deity will undertake the delivery of training and advisory services to the end user departments as a separate activity.

CMO will also support DietY in overall coordination and monitoring the progress of the cloud related initiatives including GI Cloud environment, eGov Appstore, and GI Cloud Services Directory.

(14)

2.

Purpose of the RFP

The primary purpose of this RFP is to enable DeitY to select an Agency that acts as the Cloud Management Office (CMO) and carries out the activities envisaged for the CMO. The details of the assignment, scope of work, evaluation process are outlined in the sections below.

The RFP is not an offer by DeitY but an invitation to receive proposals from eligible and interested bidders in respect of the above-mentioned project. The RFP does not commit DeitY to enter into a binding agreement in respect of the project with the potential bidders. Potential bidders are henceforth referred to as “Bidders” in this document.

(15)

3.

RFP Issuing Authority

This RFP is issued by the DeitY to the bidders and is intended to select the Agency for setting up Cloud Management Office (CMO). DeitY’s decision with regard to the selection of bidders through this RFP shall be final and the DeitY reserves the right to reject any or all the bids without assigning any reason.

S. No. Item Description

1 Project Title Selection of Agency for Cloud Management Office (CMO)

2 Project Initiator / RFP Issuer Details

Department Department of Electronics and Information Technology (DeitY)

Contact Person Kshitij Kushagra

Scientist D/Joint Director

Department of Information Technology Electronics Niketan , 6, CGO Complex New Delhi-110 003 Tel: +91-11-124301423 Contact Person (Alternate) Uma Chauhan Scientist F/ Director

Department of Information Technology Electronics Niketan , 6, CGO Complex New Delhi-110 003

Tel: +91-11-24364711 Email Address for all Bid

Correspondence

XXXXXXX(Email ID) Address for the purpose

of Bid Submission

Kshitij Kushagra

Scientist D/Joint Director

Department of Information Technology Electronics Niketan , 6, CGO Complex New Delhi-110 003

Tel: +91-11-124301423 DeitY Website http://deity.gov.in/

(16)

4.

Tentative Calendar of Events

The following table enlists important milestones and timelines for completion of bidding activities:

S.

No Milestone Date and time

1 Release of Request For Proposal (RFP) XXX 2015 (T0) 2 Last date for submission of written questions by bidders XXX 2015 (T0+8d)

3 Pre- Bid Conference XXX 2015 (T0 + 10d)

4 Date of Issue of Clarifications XXX 2015 (T0+15d) 5 Last date for Submission of bids XXX 2015; 16:00 hours –

(T0+6 weeks)

6 Opening of Tech Bids XXX 2015; 16:30 hours

(T0+6 weeks)

(17)

5.

Scope of Work

The overview of the scope of work of the Agency as the Cloud Management Office (CMO) is given below:

1. Identification of the relevant Standards; Development of Specifications; Creation of Frameworks; and Formulation of the required guidelines

2. Designing the Accreditation Strategies, Processes, Templates, RFPs and MSAs for accreditation of the Cloud & SaaS Auditors and Offerings of the Cloud Service Providers and SaaS Providers

3. Developing Capacity Building Curriculum, Content & Artifacts 4. Support DeitY and End User Departments

While the broad scope, as per the current understanding, is elaborated in this section, it is envisaged that requirements for new deliverables such as new standards, frameworks, guidelines, training artifacts will be discovered as the policy gets implemented on ground.

The Agency, under the role of CMO, will take up the new deliverables that fall within its original objective of assisting DeitY in realization of the below mentioned project outcomes at no additional cost to DeitY.

1. Enabling of GI Cloud Directory enabled with various accredited cloud services offerings from Private Cloud Service Providers, PSU Cloud Service Providers, State & National Government Cloud Services

2. Frameworks, Guidelines and Training Artifacts available for the end user departments to evaluate, procure, migrate and leverage cloud services

DeitY will re-prioritize the planned deliverables / work items so that the new deliverables can be taken up within the same overall effort. Refer to the Section 9: Project Timelines for the quarterly deliverable plan.

The operationalization of the accreditation processes & implementation of the capacity building programs & advisory services is out of scope for the Agency.

(18)

Work Item 1: Definition of the Services / Standardization of the Nomenclature of Cloud Service Offerings

The objective of this work item is to enable standardization of the nomenclature of various service offerings across the end user departments and the cloud service providers offering services to government departments. As per the MeghRaj Policy, Government of India has adopted the National Institute of Standards and Technology’s (NIST) definition of cloud computing including the essential characteristics, service models, and deployment models as defined by NIST. Any other services / service offerings that are not defined under NIST need to be defined with the objective of standardization.

The scope of the Agency under this work item includes:

1. Comprehensive listing of service offerings of the cloud service providers along with the details of the offerings in consultation with the cloud service providers

2. Adopted definition of each of the Services (beyond the ones defined under NIST) from the widely accepted definitions from global standards agencies / institutes 3. Create a standard listing of the service offerings to enable creating a common service

catalogue

4. Background note providing the list of different services, available definitions from the different standards organization and details of the analysis

5. End-user guide for easier understanding of the definitions

Work Item 2: Prioritization of the Cloud Service Offerings

There are multiple offerings of a Cloud Service Providers that include IaaS, PaaS, SaaS, Disaster Recovery-as-a-Service (DRaaS), Testing-as-a-Service, Security-as-a-Service, Storage-as-a-Service,…. The objective of this Work Item is to prioritize the cloud service offerings to enable identify & publish the standards / specifications / guidelines for highest priority / highest demand cloud service offerings at the earliest to facilitate faster adoption of the cloud services by the end user departments.

(19)

1. Background note detailing the summary of consultations with the DeitY and key stakeholders to assess the needs of the end-user departments and assist in prioritization through 1 – 2 workshops that will be facilitated by DeitY.

2. Prioritized & Phasing of the cloud service offerings for which the standards, specifications, guidelines have to be developed in the first phase

Once the highest priority / highest demand cloud service offerings are addressed in the first phase, the remaining ones shall be addressed in a phased manner.

Work Item 3: Detailing the GI Cloud Reference Architecture

GI cloud reference architecture is required to standardize on the nomenclature of terms, various actors and their roles & responsibilities in the GI cloud ecosystem. As indicated earlier, Government of India has adopted the Conceptual Reference Model of National Institute of Standards and Technology’s (NIST). The objective of this work item is to further elaborate and expand the reference architecture to suit the requirements of GI Cloud. In case it is found appropriate to adopt a new reference architecture (other than NIST reference architecture), the same need to be recommended for adoption with full justification in consultation with DeitY.

1. Study & Analysis of the available reference architectures (e.g., NIST, CSA,…) widely used / adopted for cloud computing domain

2. Background note providing the underlying analysis of the various reference architectures studies to arrive at the recommendations

3. Recommendation on the GI Cloud Reference Architecture detailing to the micro level 4. End-user guide for easier understanding of the reference architecture

5. Development of a clickable map/chart providing details of all components, so that it can be used for reporting of status of individual deliverables

(20)

Indicative References that may be studied for better understanding of the work item: i. Standards Developing Organizations and Industry Bodies such as NIST, CSA, … ii. Major OEMs such as IBM, Intel, HP, Microsoft,…

iii. Major CSPs that publish their own reference architecture

Work Item 4: Risk & Security Assessment and Decision Framework

Different departments deal with data of varying sensitivity. Some of the data (personal identifiable information, payment details,..) may need to be managed as per the applicable Indian Government’s Laws & Regulations. Similarly, the security requirements of the departments may also vary and are amenable for categorization into pre-defined categories. Once the risk & security profile of the application is assessed, the department needs to understand the available options of the cloud services that may be leveraged for their set of applications / data. The available options may be classified (indicative only) on the following:

1. Nature of cloud service offerings (public, private, community, hybrid); 2. Ownership of cloud service providers (Private, PSU, Government, Own); 3. Operational control of cloud services (Private, PSU, Government, Own);

4. Level of control / responsibilities of cloud services shared between the cloud consumer and cloud service provider (least to complete control); and

5. Location of data (within India, on-premises, off-premises).

The objectives of this Work Item are:

1. Standardize the business impact / risk & security levels to enable departments adopt uniform terminology

2. Provide frameworks and tools to enable departments to

a. Assess the risk & security profile of their applications / data / services for cloud adoption / migration and

b. Understand the available options of the cloud services that may be leveraged for their set of applications / data

(21)

1. Study of the existing standardization of the risk levels adopted in different countries to understand the various prevalent risk levels. The team also need to consult with Cert-In, Data Security Council of India (DSCI), National Critical Information Infrastructure Protection Center (NCIIPC), NTRO and study the IT Act (including its amendments), National Cyber Security Policy, and other relevant Acts & Policies for formulating the recommendations. Meetings for the same shall be facilitated by DeitY.

2. Study the applicable Indian Laws & Regulations as well as the Foreign Regulations (e.g., US PATRIOT Act,…) that may become applicable on the adoption of cloud services

3. Recommendation on the Standardization of Business Impact / Risk and Security Levels

4. Framework for assessing the risk & security profile (as per the standardized risk levels) of any given application / service / data being considering for adoption / migration to cloud

5. Framework for assessing the available options of the cloud services (nature of cloud service offerings; nature of cloud service providers; and location of data) that may be leveraged for a given risk & security levels

6. Tool for end user to navigate through the frameworks developed above with a set of questions & answers

7. Background note providing the various risk levels adopted in other countries, relevant inputs from the stakeholder discussions, inputs considered from applicable Acts & Policies and details of the underlying analysis & justification of the developed frameworks & tools

8. End-user guide with scenarios / examples for easier understanding of the risk & security levels

9. End-user guides with scenarios / examples for easier understanding of the frameworks and tools needs to be prepared

(22)

Indicative References that may be studied for better understanding of the work item: i. Similar frameworks developed by US (e.g., FedRAMP, NIST,..), UK (e.g., Extract from

HMG IA Standard No. 1 Business Impact Level Tables), EU (e.g., Moving to Cloud (A white paper produced by the Cloud Computing Use Cases Discussion Group)), Singapore (e.g, Multi-Tier Cloud Security),…

ii. Similar frameworks developed by Industry Bodies / Associations and major OEMs

Work Item 5: Identify the domains & critical areas where Standards have to be identified and Specifications / Model Frameworks / Templates / Guidelines are to be developed The indicative domains and areas where Standards have to identified and Specifications, Model Frameworks, Templates, Guidelines have to be developed are listed under Annexure I. The GI Cloud Reference Architecture may be used as a baseline for identifying the various domains.

1. Comprehensively identify all the domains (e.g., functional, non-functional, technical, security, operational, legal,..), sub-domains and critical areas relevant to cloud computing

2. Create a matrix identifying how each domain would be addressed, i.e., whether the domain would require one or more of: Standards / Specifications / Model Frameworks / Templates along with the nature of the framework / template. It is expected that some of the domains would require a multi-pronged approach. For example, data lifecycle may have to be addressed through defining specifications as well as appropriate terms within a Service Level Agreement and Master Services Agreement.

This is a pre-requisite for identification of the standards or development of necessary specifications, frameworks and templates. Since the underlying domains are ever evolving, the identified domains needs to be revised on a semi-annual (or periodic) basis.

(23)

Indicative References that may be studied for better understanding of the work item: i. Domains and Sub-Domains listed under the various Reference Architectures need to

be studied ii. Security:

a. Australia (Cloud Computing Security Considerations) b. Australia (Information Security Principles)

c. EU (Cloud Certification Schemes Metaframework) d. Singapore (Mul-Tier Cloud Security)

e. Singapore (CSA-MTCS – Gap Analysis, Audit Checklist) f. Singapore (ISO-27001-2005 – Gap Analysis, Audit Checklist) g. Singapore (ISO-27001-2013 – Gap Analysis, Audit Checklist) h. UK (Cloud Security Guidance: IaaS Consumer Guide)

i. UK (Implementing the Cloud Security Principles) j. US (FISMA)

k. US (FIPS)

l. US (Template and Process Quick Guide)

m. US (An Introductory Resource Guide for Implementing the HIPAA Security Rule)

n. US (FedRAMP Security Controls & Templates)

o. US (NIST – Guidelines on Security and Privacy in Public Cloud Computing) p. US (NIST – Guide to NIST Information Security Documents)

q. US (Continuous Monitoring Strategy & Guide)

r. US (Cloud Computing Security Requirements for DoD / Governments (U.S)) s. PCI (Information Supplement: PCI DSS Cloud Computing Guidelines)

t. CSA (CCM Info Sheet & CAIQ Info Sheet)

u. CSA (Security Considerations for Private versus Public Clouds)

v. CSA (Security Guidance for Critical Areas of Focus in Cloud Computing) iii. Privacy:

a. Australia (Privacy and cloud computing for Australian Government Agencies – Better Practice Guide)

(24)

Australian Government Agencies)

c. CSA (Privacy Level Agreement Outline for the sale of cloud services in European Union)

d. US (NIST – Guidelines on Security and Privacy in Public Cloud Computing) e. US (Privacy Recommendations for the Use of Cloud Computing by Federal

Departments and Agencies) iv. Legal:

a. Australia (Negotiating the cloud - legal issues in cloud computing agreements)

b. EU (Cloud Contracts – Expert Group)

c. UK (Contract Terms and Conditions for Eduserv Cloud Computing) d. US (FedRAMP Standard Contract Language)

e. US (Creating Effective Cloud Computing Contracts for the Federal Government)

v. Miscellaneous

a. Australia (Community Cloud Governance – An Australian Government Perspective - Better Practice Guide)

b. Australia (Cloud Computing Strategic Direction Paper) c. Australia (Records Management and the Cloud - Checklist)

d. Australia (Financial Considerations for government use of cloud computing) e. EU (Code of Conduct – Expert Group)

f. EU (Review of the European Data Protection Directive) g. EU (SLA – Expert Group)

h. Singapore (Guidelines on Outsourcing)

i. US (NIST - Cloud Computing Synopsis and Recommendations) j. US (NIST - Cloud Computing Technology Roadmap – Volume 1)

(25)

Work Item 6: Mapping & Evaluation of existing standards & certifications relevant to Cloud Computing

While there may be a few areas where standards may not exist, standardization and certification actions for cloud computing are already taking place.

1. Comprehensively identify all the existing published standards & certification schemes from the standards setting / certification organizations relevant to cloud service providers / cloud auditors

2. Map the existing standards & certification schemes to the domains / sub-domains / critical areas (for example, security, interoperability, data protection,…) that they address

3. Framework to evaluate the standards & certification schemes for suitability for adoption for GI Cloud

4. Evaluation of the standards & certification schemes using the developed framework to assess the suitability for GI Cloud

5. Tool that allows customers to choose a set of relevant security objectives and that refers to the certification schemes that contain controls and measures to meet the security objectives.

6. Identify the gaps where standards do not exist or are currently evolving and hence identifying the need for developing specifications

Since the underlying standards are ever evolving, the map of existing published standards & certification schemes needs to be updated / revised on a semi-annual (or periodic) basis to be in tune with the new standards.

Indicative References that may be studied for better understanding of the work item: i. Australia

a. Draft Report on CSP Certification Requirements for the Australian Government

(26)

a. Cloud Security Guidance: Standards and Definitions iii. EU

a. Auditing Security Measures – An Overview of Schemes for Auditing Security Measures

b. Cloud Certification Schemes Metaframework c. Certification Schemes – Expert Group

d. Certification in the EU Cloud Strategy e. ENISA Certification Tool Manual

f. Cloud Standards Coordination - Final Report iv. US

a. NIST Cloud Computing Standards Roadmap

v. Standards from Standards Developing Organizations and Industry Bodies such as: a. Cloud Computing Interoperability Forum (CCIF)

b. Cloud Industry Forum (CIF)

c. Cloud Standards Customer Council (CCSC) d. Cloud Security Alliance (CSA)

e. Distributed Management Task Force (DMTF)

f. European Network and Information Security Agency (ENISA) g. European Telecommunications Standards Institute (ETSI) h. Global Inter-cloud Technology Forum (GICTF)

i. Health Insurance Portability and Accountability Act (HIPAA) j. Institute of Electrical and Electronics Engineers (IEEE) k. International Organization for Standardization (ISO) l. International Telecommunications Union (ITU)

m. National Institute of Standards and Technology (NIST) n. Object Management Group (OMG)

o. Open Cloud Connect

p. Open Cloud Consortium (OCC) q. Open Grid Forum (OGF)

r. Organization for the Advancement of Structured Information Standards (OASIS)

(27)

s. Payment Card Industry Data Security Standard (PCI DSS) t. Storage Networking Industry Association (SNIA)

u. Telemanagement Forum (TM Forum) v. The Open Group

Work Item 7: Identify Standards & Develop Specifications (where required) against the domain areas identified above (for each of the risk / business impact levels & different cloud service offerings)

With respect to accreditation of the offerings of cloud service providers / SaaS providers, it is envisaged that for the majority of the domains / sub-domains / critical areas (for example, security, interoperability, data protection,…), the existing & widely prevalent standards will be adopted. For domains, where such standards do not exist or are still evolving or are proprietary in nature or conflicting in nature, specifications (functional & non-functional requirements) may be developed to address such gaps. In case a standard addresses majority of the sub-areas within a domain and not necessarily all the sub-areas that make up the domain, incremental specifications may be developed to address the gaps. In case substitutable standards exist (i.e., either of the standard may serve the objective) for the same domain, both have to be identified. Also, the exercise needs to identify sector specific (personal identifiable information, SOC,…) standards where available.

1. Background note providing a summary of the consultations with the industry and expert group, a key constituent of this work item.

2. Background note with the analysis of the different standards available for the same domain and the rationale for recommending a particular standard.

3. Recommend standards mapped to the different risk & security levels and the different cloud service offerings

4. Develop specifications where there are no standards or the existing standards may not be suit the risk & security requirements

(28)

5. End-user guide for easier understanding of the recommended standards for the different risk & security levels

Since the underlying standards are ever evolving, the recommended standards & developed specifications need to be revised on a semi-annual (or periodical) basis to be in tune with the new standards.

Work Item 8: Develop Frameworks, Templates & Guidelines for Standardization of the different Cloud Service Offerings

There will be areas identified under the Work Item 5 (e.g., details of the offerings of the cloud service providers, commercial details,..) where standards are not applicable but have to addressed through frameworks, model templates and guidelines. The primary objectives of such frameworks, templates and guidelines is to enable comparison of the cloud service offerings from the different cloud service providers and ensure fair SLAs & contract terms that protect the interests of the government departments.

The scope of the Agency under this work item includes developing the frameworks, templates and guidelines. Some of the areas where such frameworks, templates and guidelines are required include:

1. Capturing the various attributes of service offerings of the cloud service providers identified under Work Item 1 including the commercial details

2. Service Level Objectives 3. Service Level Agreements 4. Master Service Agreements

5. Model Request for Proposals for procurement of various cloud services

6. Along with the frameworks, templates and guidelines; end-user guides for easier understanding of the artifacts needs to be prepared

Indicative References that may be studied for better understanding of the work item: i. Service Standardization

(29)

a. UK (Standardization of Cloud Service Definitions) ii. RFP

a. US (Statement of Objectives for Cloud Services Migration - Template) b. US (Statement of Objectives for IAAS Blanket Purchase Agreement) c. US (IAAS BPA)

iii. SLA

a. EU (SLA – Expert Group)

b. EU (CSCC - Practical Guide to Cloud Service Agreements)

c. EU (Cloud Service Level Agreement Standardization Guidelines) iv. Contract

a. Australia (Better Practice Checklist – Privacy and Cloud Computing for Australian Government Agencies)

b. UK (Supplier Terms and Conditions for G-Cloud Services) c. EU (Cloud Contracts – Expert Group)

d. EU (Code of Conduct – Expert Group)

e. EU (Review of European Union Data Protection Directive) f. US (GSA IaaS Blanket Purchasing Agreement Ordering Guide) g. CSA (Privacy Level Agreement Outline for Sale of Cloud Services) h. CSA (Privacy Level Agreement)

v. Miscellaneous

a. US (Continuous Monitoring Strategy and Guide)

Work Item 9: End-user Guides / Guidelines to assist the end user departments in evaluating and migrating to cloud services

In addition the end user guides mentioned in the respective work items, there will be requirement of composite end-user guides to assist the users in easier understanding & navigating the various standards, frameworks, guidelines & templates in their approach towards adoption of cloud services.

(30)

The scope of the Agency under this work item includes developing the end user guides / guidelines.

Some of indicative guides include:

1. Guide to implementing cloud services – overview & steps involved in the lifecycle: identifying the opportunity, evaluating the applications, identifying the right deployment model, evaluation & selection of a cloud service provider, contracting, planning for migration, managing the migration and monitoring the implementation 2. Framework for evaluating the suitability of applications / services / projects to

leverage Cloud Services (IaaS, PaaS & SaaS)

3. Selecting a Cloud Service (IaaS, PaaS, DRaaS,…) and appropriate Cloud Deployment Model

4. Considerations, Checklists & Best Practices with respect to Standards, Security, Transition, SLA, Financial, Legal aspects,… when migrating to cloud based services (IaaS, PaaS and SaaS)

5. Defining scope of services clearly delineating the responsibilities of the cloud service providers, implementation agencies and departments in the entire implementation 6. Capacity Sizing Guidelines for estimating compute, storage, and network

requirements

7. Guidelines for selection (e.g. evaluation criteria) of the right cloud service provider for the required services / application

8. Application development / migration guidelines for deploying applications on cloud environments

9. Guidelines for cloud platform based service development 10.Assessing the cloud readiness of an existing application

11.Migration roadmap and plan for cloud enablement and productisation of an existing application

12.Resource Management Guide providing references to applicable Laws, Regulations, Standards and Guides applicable when leveraging cloud services

(31)

Indicative References that may be studied for better understanding of the work item: i. Australia

a. A Guide to Implementing Cloud Services – A Better Practice Guide

b. Resource Management Guide No. 406 – Australian Government Cloud Computing Strategy

ii. UK

a. Cloud Security Guidance: Risk Management b. Cloud Security Guidance: Separation

iii. EU

a. Moving to the Cloud – A White Paper

b. Practical Guide to Cloud Computing Version 1.0 iv. US

a. Guide to NIST Information Security Documents

Work Item 10: Capacity Building Curriculum, Content & Artifacts

There is a key need to create the awareness of these initiatives in the user departments, showcase the advantages of migrating to cloud services and ways to address the potential risks for faster adoption of the policy.

It is expected that there will be a need for a variety of training programs, at a minimum, that include:

1. Awareness Workshops to enhance the awareness of participants with respect to leveraging cloud services in their IT initiatives and to increase the visibility of Cloud by showcasing Best Practices & Guidelines and Model RFPs / MSAs

2. 2 – 3 day dedicated Capacity Building Programs covering Basics of cloud technology, policy, guidelines and Cloud service offerings etc. to build user capacities in evaluating & procuring cloud services

3. 2 – 3 day dedicated Technical Capacity Building Programs on the Technical Architecture, Standards,.. for technical audience

(32)

4. Cloud related sessions conducted under the NeGD capacity building programs

The scope of the Agency under this work item includes: 1. Design the right kind of training programs

2. Design the curriculum for each of the recommended training programs

3. Design the content & develop the necessary training artifacts in the form of presentation decks, reading material, e-learning modules and certification courses 4. Develop case studies of projects successfully leveraging cloud services to showcase

adoption of cloud solutions

5. Conduct Training of Trainers (ToT) to validate the designed curriculum, content and artifacts. The infrastructure and premises required for conducting the training will be provided by DeitY. The trainings will be conducted in NCR region for at least 5 batches (minimum batch size of 15) for each of the designed training programs. However, implementation of the Capacity Building Programs is out-of-scope for the Agency.

Work Item 11: Accreditation / De-Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of Cloud Service Providers

Accreditation of the offerings of Cloud Service Providers as per the identified standards eliminates the necessity of the technical scrutiny of the cloud services by multiple interested departments. This provides assurance of the offerings of cloud service providers and facilitates easier adoption of the cloud services by the user departments.

1. Design an accreditation / De-accreditation strategy defining the role of auditors, cloud service providers and DeitY in accreditation value chain

2. Develop necessary guidelines, processes & templates for the accreditation (initial as well as maintaining & re-accreditation) of the offerings of the cloud services providers that will be adopted by the cloud service providers to get their offerings audited

3. Develop the guidelines and reporting framework for continuous monitoring of operations to ensure compliance

(33)

4. Develop the end-user guides on the accreditation process and prepare the Accreditation Handbooks for various service offerings, “Guide for Cloud Service Providers” for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals

Indicative References that may be studied for better understanding of the work item: i. Models adopted for UK (G-Cloud), US (FedRAMP) and Singapore (MTCS)

Work Item 12: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the Cloud Auditors

In order to be accredited by DeitY, the CSPs need to get their services audited by an accredited / empaneled Auditor.

1. Design an accreditation / empanelment strategy for the Cloud auditors

2. Develop necessary guidelines, processes, templates and RFPs for the accreditation / empanelment (initial as well as maintaining accreditation, re-accreditation and de-accreditation) of the Cloud Auditors

3. Develop the end-user guides on the accreditation / empanelment process and prepare the Cloud Auditor Accreditation Handbook, “Guide for Cloud Auditors” for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals

4. Develop handbook for Cloud Auditors to certify the Cloud Service Providers

Indicative References that may be studied for better understanding of the work item: i. Models adopted for UK (G-Cloud), US (FedRAMP) and Singapore (MTCS)

(34)

Work Item 13: Guidelines for providing PaaS & SaaS services (eGov AppStore)

The e-Gov App Store (http://apps.nic.in/) is a national level common repository of customizable and configurable applications, components and web services that can be re-used by various government agencies/departments at Centre and States, which will include the setting up of a common platform to host and run applications (developed by government agencies or private players) at National Clouds.

1. Define certification guidelines and underlying processes with respect to continuous certification of applications from private vendors and government departments. 2. Guidelines and standards on pricing models for applications available on the

AppStore

3. Preparation of guidelines for audit of applications

4. Monitoring mechanism/governance framework for the compliance with GI Cloud standards, guidelines, norms and policies

5. Design the underlying procurement mechanisms & contracts or MoAs for the user departments to seamlessly procure applications from the AppStore

Work Item 14: Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of SaaS Providers

Accreditation of the offerings of SaaS Providers as per the identified standards eliminates the necessity of the technical scrutiny of the SaaS offerings by multiple interested departments. This provides assurance of the offerings of SaaS providers and facilitates easier adoption of the SaaS by the user departments.

1. Design an accreditation strategy defining the role of auditors, SaaS providers and DeitY in accreditation value chain

(35)

2. Develop necessary guidelines, processes & templates for the accreditation (initial as well as maintaining & re-accreditation) of the offerings of the SaaS providers that will be adopted by the SaaS providers to get their offerings audited

3. Develop the guidelines and reporting framework for continuous monitoring of operations to ensure compliance

4. Develop the end-user guides on the accreditation process and prepare the SaaS Accreditation Handbook, “Guide for SaaS Providers” for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals

Work Item 15: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the SaaS Auditors

In order to be accredited by DeitY, the SaaS providers need to get their services audited by an accredited / empaneled Auditor.

1. Design an accreditation / empanelment strategy for the SaaS auditors

2. Develop necessary guidelines, processes, templates and RFPs for the accreditation / empanelment (initial as well as maintaining accreditation, re-accreditation and de-accreditation) of the SaaS auditors

3. Develop the end-user guides on the accreditation / empanelment process and prepare the SaaS Auditor Accreditation / Empanelment Handbook, “Guide for SaaS Auditors” for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals

(36)

Work Item 16: Procurement Guidelines

With the adoption of cloud services, the procurement model has to evolve from a primarily Capex to an Opex or Pay-per-use model.

1. Identify the areas that need legal / policy level interventions

2. Formulate recommendations on new procurement guidelines, amendments to procurement laws for procurement of services available on the GI Cloud Services Directory and eGov AppStore.

Develop end-user guides for easier understanding of the deliverables needs to be prepared.

Miscellaneous Activities

Apart from the above work items, the Agency is also responsible for the below set of activities:

1. Support DeitY and End User Departments

a. Be available on phone, email and video conference to support the stakeholders’ (e.g., departments, cloud service providers, SaaS providers, OEMs, System Integrators,..) queries / requests on developed standards, specifications, frameworks, templates and guidelines.

b. Create and continuously update FAQ on the portal

c. Seek feedback from the end-user departments on the developed artifacts and where required refine or develop additional frameworks / guidelines / user guides based on the inputs

d. Support DeitY in preparation of draft response to various queries received from other government/private organizations, RTI queries etc. on the published standards, guidelines, frameworks, etc.

e. Continuously monitor local and international trends on cloud services and integrate / leverage any learning

(37)

6.

Deliverable Preparation Methodology

Approach Note and Deliverable Template

At the onset of each work item, the team should provide an approach note and templates of proposed deliverables for the respective work item. The approach note should at a minimum detail the secondary research and industry consultations proposed to be carried out.

The team will meet with DeitY to review the approach and deliverable templates, tailored to accommodate the needs of the specific work item, and agree on the scope, approach, format, and content of each of the deliverables under that work item. The agreements made during this meeting will be captured in a Deliverable Review Document (DRD) for each deliverable. A deliverable evaluation scorecard will be used to measure the deliverable (e.g., completeness, consistency, quality, and presentation) against the acceptance criteria defined in the DRD.

As project deliverables are submitted, DeitY will review them against the agreed upon DRD. When comments are provided, the team will address the comments and/or revise the deliverable and resubmit it within five days. The agreement on the scope of the deliverables at the beginning of each phase will reduce the need for multiple rounds of revisions and allow timely acceptance.

Secondary Research

The team is expected to study the available models, standards, guidelines adopted in different countries (EU, US, UK, Singapore, Australia,...), relevant international organizations including standard development organizations (CSA, NIST,..) during the preparation of the deliverables under the different work items. In case any content is used from the existing artifacts, complete references (at the appropriate place) of the same shall be added within the deliverable. All the external resources researched to prepare the deliverable needs to be tagged and uploaded to the project website.

(38)

Consultations with Industry & Industry Groups

The team is also expected to consult with various experts from the Academia, Research Agencies, Industry Groups (e.g., CCICI, CSA, DSCI,…) & industry (e.g., cloud service providers, system integrators, OEMs, Cloud Consultants,..) to get inputs on the deliverables. The consultations along with the list of the stakeholders consulted and summary of discussions, inputs, comments, feedback received needs to be comprehensively brought out into the background note accompanying the deliverables. The comments / feedback / inputs at each stage of the approval process should also be captured in the background note.

Example Case Studies

In case a framework is created, where applicable, the team shall detail the example case studies / scenarios / use cases within the respective frameworks and / or end-user guides to demonstrate the use of the framework. The user guides / guidelines should be created from the end-user perspective.

Document Revision History

Each of the deliverables shall capture the document history with the initiating agency (indicating author, reviewer and approver within the organization), expert group reviews and final approvals. The editable versions of the deliverables have to be submitted to DeitY and the same including the interim deliverables will become the intellectual property of the DeitY. Where required, the deliverables may need to be revised on a semi-annual (or periodic) basis.

Version Management

The team shall maintain all project documents including the summary of discussions, meeting minutes, multiple revisions/versions of the deliverables in a version control tool that will be provided by DeitY.

Project Management

The team shall keep the project plan and all related artifacts up-to-date during the course of the project in a project management tool that will be provided by DeitY.

(39)

7.

Governance Structure and Acceptance of Deliverables

DeitY is the owner of the project and in order to streamline and manage the project, DeitY will form a suitable Governance mechanism. Broadly, the proposed governance mechanism will include:

1. Steering Committee: Review the progress of Project and recommend policy level directions / advice to CMO

2. Working Group: Working Group within DeitY with representation from other government agencies will be setup to recommend the approval of the deliverables including the standards, specifications, frameworks, templates, guidelines and end-user guides. DeitY is the final approving authority and will approve the deliverables on the recommendation of the Working Group. The standards, guidelines and other deliverables arising out of this engagement will be published only on approval of the DeitY.

3. Project Mission Team: A team of DeitY officials, chaired by a Nodal Officer, will anchor this project and will work with the Agency on a daily basis. This team will provide all necessary program management support to the Nodal Officer.

4. Expert Group: A team of experts from industry & academia will be setup to work with DeitY for consultations on the deliverable templates, proposed approach, deliverables submitted by the Agency. The Agency will provide all necessary support to DeitY for conduct of meetings, presentations,.. for the Expert Group.

The Working Group will hold reviews and suggest / recommend on the acceptance of the deliverables. The Working Group may release, where necessary, the draft deliverables for public & industry comments before acceptance of the deliverable. DeitY may also invite other entities (in addition to the Working Group) or experts in the domain as required, for reviewing and approving project deliverables.

Some of the deliverables will need to be accepted by multiple stakeholders within DeitY. The Agency will closely work with all the members of the above governance structure in successfully executing the engagement. The Agency shall deploy senior / expert resources to DeitY to present and explain the deliverables to DeitY / Working Group / Project Mission

(40)

Team / Expert Group and present clarifications where required. The Agency shall review the comments received and incorporate appropriate changes / suggestions from the public / industry / experts / Project Mission Team into the deliverables.

The final authority to accept and sign-off each deliverable lies with the DeitY through the approval of the Working Group constituted by DeitY. The final accepted deliverables shall be published on the project website after approval from DeitY.

Sign-off on the deliverables by DeitY does not necessarily indicate the completion of the work for the respective deliverables. Any gap that is found in a deliverable or a revision of the deliverable necessitated by a change in the policy and / or underlying standards, even after the sign-off, will have to be addressed by the Agency without any additional cost to DeitY.

(41)

8.

Resource Requirements

Below is an indicative person month effort required. However, the Agency is responsible to deploy the right number of resources that will be able to deliver as per the scope of work defined in this RFP.

Number of Resources (Mix of full time dedicated resources & part time domain /

subject matter experts) (Minimum Indicative Only)

Number of Resources (Mix of full time, dedicated, resources

& part time domain / subject matter experts) Y1 Y2 Y3 Engagement Lead (15+ years of experience) 1 1 1 Domain Experts / Subject Matter Experts / Principal Consultants in the areas of Information Security, Cloud Computing / Standards / Contracts (10+ years of experience) 4 4 2 Sr. Consultants /

Consultants in the areas of Information Security, Cloud Computing / Standards / Contracts (6 - 10 years of experience) 4 4 2 Legal Expertise (15+ years of experience) 1 1 0 Capacity Building

Curriculum and Content Design Experts

(8+ years of experience)

2 2 0

(In the third year, DeitY reserves the right to reduce/increase the total number of resources to be deployed on the project based on the deliverables planned for the third year. However,

(42)

to the third year, the planned resources for the Year – 1 and / or Year – 2 shall continue into the third year.)

It may be noted that the resource requirements provided by DeitY, is only the minimum requirement. The Bidder, based on his understanding is free to suggest and propose additional resources, if required. At least two (one senior consultant with 8-10 years of experience & one junior consultant with 6+ years of experience) of the proposed resources have to be positioned out of DeitY for continuous co-ordination with the stakeholders within DeitY. However, for the periodical (fortnightly or as required) project reviews, the relevant team members along with the Engagement Lead should be present at DeitY and lead the presentation.

Consultants will carry their own laptops equipped with data cards for internet connectivity. The bidder shall provide resume/profiles of all the key resources to be deployed on this project. The bidder shall refrain from detailing the complete work experience which is not relevant to this project. DeitY reserves the right to interview the key resources to be deployed on the project. In case any of the proposed resources are found to be not performing or not meeting the expectations of DeitY, the agency shall find a replacement for the resource within two weeks. DeitY will evaluate the replacement profile and indicate the acceptance / rejection of the profile. If required, DeitY may seek a personal interview of the person being proposed. Resources deployed on the project can be replaced by the agency suo-moto with a minimum notice of 2 weeks subject to approval of the proposed resource by DeitY and the replacement resource should be part of the transition for at least 2 weeks.

Indicative Resource Profiles 1. Engagement Lead

i. MBA & Engineer from premier institutes like IIM/IIT with at least 15 years of work-experience

ii. Minimum 5 years of experience end-to-end experience in leading IT Consulting projects in India/abroad

iii. Multiple stakeholder management experience in Government setup iv. Good understanding of Cloud Service & Deployment Models

(43)

2. Information Security Experts

i. At least 10 years of project based experience across multiple IS domain areas ii. Project Experience should include domains of risk management, incident

management, data security, IT network architecture and Security components (including IDS/IPS/Firewalls)

iii. Implementation and functional consulting experience with leading security / eGRC / Vulnerability Assessment / SIEM solutions

iv. BE/B.Tech/MCA/MBA (IT/Systems)/PGDM(IT/Systems)

v. Certifications: At least 2 out of CISSP/CISA/CISM/CRISC/ISO27K

3. Cloud Computing Experts

i. Engineer with experience in Cloud Computing technologies (all of IAAS, PAAS and SAAS).

ii. Expertise and deep understanding of standards in the areas of security, interoperability, portability and other domains

iii. Sound knowledge of national and international standards and the related organizations

iv. Excellent consulting skills for consultations with various stakeholder groups including IT industry as well as government and academia

v. BE/B.Tech/MCA/ MBA (IT/Systems)/PGDM (IT/Systems) vi. Cloud Certification from any leading Cloud OEMs

4. Legal Experts

i. Any Graduate with a Bachelors / Masters degree in Law

ii. Minimum 15 years of experience in Cyber/IT and contractual Law

iii. Experience of designing Master Services Agreement for turnkey IT projects

5. CB Curriculum and Content Design Experts

i. At least 8 years of experience in design & delivery of technology training programs

ii. Experience in design of course content & training artefacts iii. Experience in conducting training programs

(44)

9.

Project Timelines

The project duration is for a period of 3 years.

Once prioritization of the cloud service offerings is completed, the standards / specifications / guidelines for highest priority / highest demand cloud service offerings have to developed in the first iteration to facilitate faster adoption of the cloud services by the end user departments. In the subsequent iterations, the same have to be developed for the next set of cloud service offerings.

At the beginning of the quarter, the Agency will prepare a quarterly plan in consultation with DeitY detailing out the targets to be achieved for the quarter including the guidelines, policies and frameworks to be delivered.

The indicative First Quarter work items is as given below:

1. Work Item 1: Definition of the Services / Standardization of the Nomenclature of Cloud Service Offerings

2. Work Item 2: Prioritization of the Cloud Service Offerings

3. Work Item 3: Detailing out the GI Cloud Reference Architecture

4. Work Item 4: Risk & Security Assessment and Decision Framework

5. Work Item 5: Identify the domains & critical areas where Standards have to be identified and Specifications / Model Frameworks / Templates / Guidelines are to be developed

The indicative Second Quarter work items is as given below:

1. Work Item 5: Identify the domains & critical areas where Standards have to be identified and Specifications / Model Frameworks / Templates / Guidelines are to be developed

2. Work Item 6: Mapping & Evaluation of existing standards & certifications relevant to Cloud Computing

3. Work Item 7: Identify Standards & Develop Specifications (where required) against the domain areas identified above (for each of the risk / business impact levels & different cloud service offerings)

(45)

4. Work Item 10: Capacity Building Curriculum, Content & Artifacts

The indicative Third Quarter work items is as given below:

1. Work Item 7: Identify Standards & Develop Specifications (where required) against the domain areas identified above (for each of the risk / business impact levels & different cloud service offerings)

2. Work Item 8: Develop Frameworks, Templates & Guidelines for Standardization of the different Cloud Service Offerings

3. Work Item 9: End-user Guides / Guidelines to assist the end user departments in evaluating and migrating to cloud services

4. Work Item 12: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the Cloud Auditors

The indicative Fourth Quarter work items is as given below:

1. Work Item 8: Develop Frameworks, Templates & Guidelines for Standardization of the different Cloud Service Offerings

2. Work Item 9: End-user Guides / Guidelines to assist the end user departments in evaluating and migrating to cloud services

3. Work Item 11: Accreditation / De-Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of Cloud Service Providers

The indicative Fifth & Sixth Quarter work items is as given below:

1. Work Item 13: Guidelines for set up of PaaS & SaaS service (eGov AppStore)

2. Work Item 15: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the SaaS Auditors

(46)

The indicative Seventh & Eighth Quarter work items is as given below:

1. Work Item 14: Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of SaaS Providers

2. Work Item 16: Procurement Guidelines

The scope of work under the miscellaneous activities span across the quarters:

Development of standards / specifications / guidelines for second & third priority cloud service (2nd & 3rd iterations), guidelines for cloud brokers and revisions of the already developed standards / guidelines are a few of the activities to be carried out by the Agency till the end of the project duration. Further, in the third year or as initiated by DeitY, the team shall carry out the complete transition of the knowledge, deliverables and all artifacts developed during the contract to DeitY or a team identified by DeitY to take over the responsibilities. The Agency shall prepare an exit management plan with details of the briefing sessions to be conducted to transfer the knowledge.

In the third year, DeitY reserves the right to reduce/increase the total number of resources to be deployed on the project based on the deliverables planned for the third year. However, if any of the deliverables targeted for the Year – 1 and / or Year – 2 are delayed and carry on to the third year, the planned resources for the Year – 1 and / or Year – 2 shall continue into the third year.

(47)

10.

Payment Schedule

1. The Agency will receive payments on acceptance of deliverables by Working Group constituted by DeitY.

2. Agency can raise the invoice after they receive in writing from DeitY, accepting the deliverable

3. A mobilization advance of 25% of the Quote for the Services during the FIRST YEAR (refer to the Commercial Quotation Format under Annexure 6) against the submission of advance bank guarantee.

4. Subsequent payments will be made at the end of the quarter after satisfactory delivery of services.

5. The equated quarterly payment will be calculated based on the Quote for the Services during the respective year.

6. Actual Quarterly Amount Payable is the payment due to the Agency after any LD related deductions and less the retained payments (see below) subject to the following conditions:

a. The Agency will receive 100% of the quarterly payment (less any LD related deductions) if all the agreed upon deliverables including the preceding and current quarters are accepted by the Working Group of DeitY.

b. The Agency will receive 70% of the quarterly payment (less any LD related deductions) if two or one of the agreed upon deliverables including the preceding and current quarters are pending for approval by the Working Group of DeitY. The remaining 30% of the quarterly payment will be retained by DeitY. The payment retention will be made only on delays on the major project deliverables.

c. In case more than two of the agreed upon deliverables including the previous and current quarters are pending for approval by the Working Group of DeitY, all the 100% of the quarterly payment will be retained by DeitY. The payment retention will be made only on delays on the major project deliverables.

7. All retained payments (after any LD related deductions) will be paid on successful completion and acceptance of the deliverables against which the payment was retained.

(48)

8. In the event of any addition or reduction of the resources is carried out with the approval of DeitY, the change (increase in case of additional resources or decrease in case of reduction of resources) to the quarterly payment will be calculated based on the

Blended Person Month Cost (C) provided in the Commercial Quotation (Refer Annexure 6).

9. In the event of any increase or decrease of the rate of taxes due to any statutory notification/s during the term of the Agreement, the consequential effect shall be borne by DeitY.

(49)

11.

Instructions to Bidders

1. Availability of the RFP Documents: The RFP can be downloaded from the website / given under Section 3. The bidders are expected to examine all instructions, forms, terms, project requirements and other information in the RFP documents. Failure to furnish all inf