IT security firms have been asked to put themselves up for membership of a special-purpose panel to provide security services across all of government.
The move is partly in response to a number of recent incidents involving privacy and security breaches at government agencies, commissioning agency the Department of Internal Affairs says.
It sees the panel arrangement as a way of ensuring more consistency in security "skills and techniques" provided to agencies.
"The government has a declared objective to raise the standards of security and privacy practice and behaviour across the public sector," DIA says in a request for proposal for the services. The envisaged panel of specialist information security and privacy suppliers will make it easier for agencies to "source high quality specialist assistance in an easy to access manner", it says.
To date, agencies have sourced ICT security services either from individual providers or as part of an existing panel arrangement for other ICT supplies. "As a number of the existing panels are nearing the end of their term and to ensure agencies can rely on a consistent and highly qualified set of specialist skills and techniques, DIA is establishing the [specialist security] panel with a number of additional service options," DIA says.
These "additional service options" provide another dimension of flexibility in future arrangements based on the panel. Potential suppliers are given the option of undertaking to provide one or more of a number of initially proposed services, but "once the panel is established, DIA will be keen to engage with the wider market to explore and agree any changes or additions to the initial service options," the RFP says.
"Such change may also be made as required, based upon agency feedback on the relevance of the service options, as standards of security and privacy practice mature or other events dictate."
An all-of-government request for provision of security services marks a new openness in the membership of supplier "panels". After an initial panel has been formed, new potential suppliers will be allowed to put themselves up later to join the panel.
Usually in the past, once supplier panels are formed, they have been restricted for the contract period to only those members initially appointed.
The new open-style panel follows a major reform of government procurement. ICT industry organisations have for some time been pressing for increased openness of panels (Computerworld, December 17, 2012).
The openness of the panel is made clear in a paragraph in Section 10 of the RFP: "A process will also be supported that will allow interested suppliers to join the Panel after it has been established," it says.
"Should this occur, the same evaluation criteria will be used as for this RFP document. It is expected that this will be via a standing Notice that is made continuously available on GETS that allows interested suppliers to respond on an ongoing basis. This is referred to as an 'open' panel and is supported by the Government Rules of Sourcing that have recently been approved by Cabinet. It is planned that DIA will evaluate any requests from interested suppliers to join the Panel each quarter, if required, for efficiency reasons."
The initially requested set of expertise areas are: Risk management, assessment and assurance; security governance, architecture and design; security consulting and review; certification and assurance; source code and application review; network and application security testing; and computer forensics, investigation and security incident response.
Provision of such services in a coordinated way through a panel should help achieve some of the "key elements to lifting information security and privacy practices and standards across the public sector", DIA says. These key elements include: "Implementing security and privacy practices as an integral part of an agency's overall risk management activity; setting expectations on the standards required for information security and privacy that are effective, achievable and enduring in the short term; and providing assistance and monitoring performance in lifting standards as appropriate and needed."
The sourcing of security services is classed as a "common capability ICT (CC-ICT) procurement". This means DIA will enter into an agreement with the chosen members of the panel. "Eligible agencies can then sign up to a Security Services Subscription Agreement with the service provider(s) to purchase services made available under the CC-ICT Agreement(s)."
The panel's services will be available to a large group of agencies including public service departments, Crown entities, state-owned enterprises. the NZ Defence Force, the Police, the SIS, the Clerk of the House of Representatives and the Parliamentary Service, as well as local authorities.