We expect tenderers to have expertise and knowledge in several of the following areas:
— relevant EU legislation, in particular CSA and the regulatory framework in the European and international market,
— European ICT market, sectorial domains and their ICT services. Major stakeholders and their roles and business objectives, position in the international market, dependencies from non-European service or technology providers,
— typical sector-specific requirements to the evaluation and certification of ICT products, existing certification schemes and their position in the relevant market sectors,
— typical system architectures for ICT services and involved ICT products,
— typical attack vectors. Capabilities of types of potential attackers,
— risk assessment standards (e.g. ISO/IEC 27005) and current work undertaken by related standardization bodies,
— practical experience in carrying out risk assessments,
— ICT product security evaluation and certification schemes (e.g. CC/SOGIS-schemes, EMVCo, FIDO) and related standards,
— ISMS evaluation and certification based on the ISO/IEC 27000 series of standards,
— definition and implementation of evaluation and certification schemes,
— generation of protection profiles, security targets,
— enabling and managing evaluation labs, quality assurance processes for evaluation labs,
— validation of evaluation results and issuing certificates,
— collecting stakeholders’ requirements, aggregating and documenting different opinions and viewpoints,
— generating technical documentation.
Various specific contracts based on the annual ENISA Work Programme will be launched periodically to the successful framework contractors based on the ‘Reopening of Competition’ procedure. Depending on the needs of the contracting authority and budget availability, this overall budget could be increased by up to 50 % by using a ‘negotiated procedure without prior publication of a contract notice’.