EU solidarity with Ukraine
Prozorro+: Ukrainian public procurement platform
Luxembourg-Luxembourg: EIF - Provision and Management of Necessary Transversal Cloud Security and Integration Services (Luxembourg)
Section I: Contracting authority
Section II: Object
Provision and Management of Necessary Transversal Cloud Security and Integration Services
The EIF is looking for a partnership that will help with the management of specific security controls and compliance aspects of cloud-related services as well as integration services and will work in close collaboration with existing EIF service providers operating in the cloud.
This call for tenders aims at provisioning already identified cloud security and integration services. Given the duration of the call for tenders, as per the lifecycle of new technologies, some technical security services (as per the scope of this call for tenders) maybe renewed, retired or added.
While in principle the service provider will work from their usual professional premises, the EIF would expect their participation in EIF premises from time to time in meetings.
At the earliest stage of the project, EIF will lead discussions to setup a clear and documented governance for all services. Across the terms of reference, EIF specifies the expected security controls.
Here is the high-level list of direct Services that EIF expects to receive from the successful service provider:
• a common cloud-based identity and access management (IAM) solution, simple to administer, that offers single sign-on (SSO) in order to ensure the necessary interoperability for all its solutions hosted on Amazon Web Services (AWS), Microsoft Azure or any other cloud provider, including multi-factor authentication mechanisms;
• a solution to collect application and system logs centrally, store them with appropriate retention, monitor events and escalate relevant incidents to EIF and its involved services providers;
• a vulnerability management tool/service to scan all EIF Cloud platforms to provide monthly and quarterly aggregated reports on vulnerability;
• an advanced system and file encryption/exchange services to protect EIF data;
• a ticketing system to handle support cases, change, release management of specific EIF core cloud applications (EIF does not necessarily expect this solution to be used for the management of the relationship between EIF and the Cloud Services Broker);
• an SFTP service for secure integration/files transfers between EIF solutions or with counterparts;
• advisory services on different technology aspects (cost monitoring and optimisation, cloud related, security and architecture review etc.);
• penetration testing services to assess the security of EIF Cloud solutions.
Through this call for tender, the EIF expects to find a central service provider for the scope of services defined in the terms of reference.
The Framework Agreement will be signed for an initial period of 3 years with the possibility to be extended thereafter for four consecutive 1-year periods, upon the EIF’s discretion (3 + 1 + 1 + 1 + 1).
Section III: Legal, economic, financial and technical information
As stated in the procurement documents.
The EIF will sign a framework agreement with one service provider (‘Framework Agreement’) for an initial period of 3 years with the possibility to be extended thereafter for four consecutive 1-year periods, upon the EIF’s discretion (3 + 1 + 1 + 1 + 1).
The Framework Agreement is subject to the EIF General Terms and Conditions (‘EIF GTCs’), which will form part of the Framework Agreement as Appendix C.
Implementing contracts will be established under the Framework Agreement whenever an assignment is required according to the mechanism described in section 6 of the terms of reference.
Section IV: Procedure
A 7 year (3+1+1+1+1) Framework Agreement is expected to be signed. The reason for requesting more than 4 years is that the setup of some key services may require a longer program, which may last longer than 2 years after the signature and which will be too short for EIF to fully benefit from all services.
The opening session is not public.
Section VI: Complementary information