Tender For Surveillance Assessment Of Indian Railway E-Procurement System (Ireps) Version V-7.10,Security Penetration(Pt) Testing Of The Application In Production Environment At (Location) Gm/Eps, Cris Delhi 1.00 Numbers 2 002 Service Non Stock --- Yes Co, delhi-Delhi

Tender For Surveillance Assessment Of Indian Railway E-Procurement System ( Ireps ) Version V-7.10, Security Penetration ( Pt ) Testing Of The Application In Production Environment At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers 2 002 Service Non Stock --- Yes Consignee Inr ( Y ) Security Vulnerability Assessment Of Servers And Network Devices ( Va ) Hosting Ireps Application At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers 3 003 Service Non Stock --- Yes Consignee Inr ( Y ) Security Testing Of The Application For E-Auction, E-Reverse Auction And Contract Tracking, Udm Module At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers 3. T And C F.O.R Description Destination Page 1 Of 4 Run Date / Time: 14 / 02 / 2024 13:11:40Procurement / Cris Tender Document Tender No 01245048 Closing Date / Time 28 / 02 / 2024 15:30 Delivery Period Description Delivery / Completion Rate Of Supply For All Items Completion : Within 42 Days --- Payment Terms S.No Description Payment Terms 1 1 ) All The Payments Will Be Made Against Respective Gst Invoice Only. ( 2 ) 60% Of The Service Charge Plus Applicable Gst Will Be Paid After Receipt Of First Assessment Report And The Balance 40% Will Be Paid After Completion Of Assessment ( Receipt Of Final Assessment Report ) For Which Another Tax Invoice Will Be Raised. ( 3 ) The Applicable Taxes Will To Be Paid As Per Actual Rate Applicable During The Payment. ( 4 ) Payment Will Be Made Through Non-Tax Receipt Portal ( Bharat Kosh ) , Of Govt. Of India ( Https: / / Bharatkosh.Gov.In ) By Any Of The Modes Available, Followed By Generation Of Deposit / Pay In Slip From There Or Through Neft To Your Bank Account. ( 5 ) Gst Invoice Will Be Raised After Successful Completion Of First Round Of Assessment. ( 6 ) Payment Will Be Made Within Seven Days Of Presentation Of The Invoice. ( 7 ) The Responsibilityof Their Closures Of The Audit Observations Lies With The Customer. ( 8 ) In Any Case, The Payment Should Not Be Linked With The Closures Of The Assessment Observations, If Any. ( 9 ) Stqc-Ertl / Laboratory Is A Government Of India Organization And Hence, As Per Section 196 Of Income Tax Act; Income Tax Tds Is Not Applicable On Us; Gst Invoice Will Be Paid In Full. ( 10 ) Receipt ( S ) Of The Payment Generated From Non-Tax Receipt Portal ( Bharat Kosh ) Of Govt. Of India Or Neft May Please Be Presented During Collection Of The Final Report. ( Https: / / Bharatkosh.Gov.In ) Has To Be Produced, While Taking Delivery Of Services ( Reports / Certificates ) . ( 11 ) The Life Of The Assessment Project Will End After Three Months From Issuance Of First Assessment Report. All Closure Actions Of The Security Issues Must Be Completed Within This Period. The Lab Shall Issue The Last And Final Assessment Report, Irrespective Of All Security Issues Are Closed Or Not. If There Are Still Open Security Issues Even After Three Months Of First Assessment Report And If The Customer Wants. Standard Governing Conditions S.No Description 1 As Per Cris Egcc Including Modifications If Any. 4. Eligibility Conditions Special Eligibility Criteria S.No. Description Confirmation Remarks Documents Required Allowed Uploading 1 Na Yes Yes Not Allowed 5. Compliance Conditions Commercial-Compliance S.No. Description Confirmation Remarks Documents Required Allowed Uploading 1 Please Enter The Percentage Of Local Content In The Material Being Offered. No Yes Allowed Please Enter 0 For Fully Imported Items, And 100 For Fully Indigenous Items. ( Optional ) The Definition And Calculation Of Local Content Shall Be In Accordance With The Make In India Policy As Incorporated In The Tender Conditions. Other Conditions S.No. Description Confirmation Remarks Documents Required Allowed Uploading Page 2 Of 4 Run Date / Time: 14 / 02 / 2024 13:11:40Procurement / Cris Tender Document Tender No 01245048 Closing Date / Time 28 / 02 / 2024 15:30 1 Annual Surveillance Assessment-Ii Of Indian Railways E-Procurement No No Not Allowed System ( Ireps ) Version V-7.1.0 Comprises Of E-Tender, E-Auction, Contract Tracking And User Depot Module Hosted At Https: / / Ireps.Gov.In. Following Test Will Be Conducted In The Surveillance Assessment-Ii. Penetration Testing: Penetration Testing ( Pt ) Will Be Done Remotely From Public Domain ( Internet ) To Find Out Exploitable Vulnerabilities. No Privilege Access Is Required. Series Of Testing Conducted Like Information Gathering From Public Domain, Port Scanning, System Fingerprinting, Service Probing, Vulnerability Scanning, Manual Testing, Password Cracking Etc. Using State- Of-The-Art Tools ( Commercial And Open Source ) And Techniques Used By Hackers With A Objective To Unearth Vulnerabilities And Weaknesses Of The It Infrastructure. The Audit Will Be Conducted Remotely From Stqc Laboratory. Vulnerability Assessment: Collect Information About The Current Security Configuration Of The Hosts / Devices By Running Script / System Commands With Highest Privilege ( E.G. Root / Administrator ) Or Copying The System Configuration Files As Appropriate. The Running Of The Scripts / Commands Or Copying Of The Configuration Files Will Be Done By The Respective System Administrators Of The Client Organization. The Script / Command Outputs Or The Copy Of The Configuration File Have To Be Submitted To The Stqc Assessors For Analysis And Interpretation. The Scripts / Command Details Will Be Provided By The Stqc Assessors. Vulnerability Scanning Of The Hosts For Finding The System / Service Vulnerabilities. The Scanning Will Be Done Without Using Any User Credentials Or In Non-Privileged Mode. The Vulnerability Scanning Can Be Done Remotely From Stqc Laboratory If Suitable Access Is Given To The Hosts / Devices Through Internet Or Vpn. Web Application Security Assessment: The Application Will Be Audited To Discover Any Vulnerabilities / Weaknesses. Open Web Application Security Project ( Owasp ) Guideline Will Be Followed For This Audi 2 ( 1 ) Consignee: Gm-Eps / Cris, 7Th Floor Itpi Building, 4-A Ring Road Ip Yes Yes Not Allowed Estate, New Delhi-02. ( 2 ) Details Of The Contact Person- A ) For Administrative Purpose- Sh Sam Naqvi, Gm / Eps, 9559804576, Sam.Naqvi@Cris.Org.In B ) For Technical Aspects-I ) Kaushlesh Kumar, Sr. Project Engineer, 9953001994, Kumar.Kaushlesh@Cris.Org.In Ii ) Sonu Singh Patel, Project Engineer, 8130797608, Patel.Sonu@Cris.Org.In ( 3 ) Non- Disclosure Agreement ( Nda ) Will Be Signed Between Consignee & Consigner. ( 4 ) The Responsibilities And Work Assigned To Stqc Shall Be As Per Scope Of Work. Any Change In Work Schedule Shall Be Mutually Agreed Between Customer & Stqc. ( 5 ) Cost And Schedule Implications, If Any Due To Change In The Scope At Any Stage During Execution, Of The Assignment, Shall Be Reviewed And Revised. ( 6 ) Cris Will Make Necessary Technical Arrangement So That The Ireps Application Is Available For Audit, Remotely From Kolkata Over Internet. ( 7 ) In Order To Complete The Work As Per Schedule, Cris Shall Ensure Readiness Of The System To Be Verified And Timely Provide The Documentation And Required Information To Stqc. ( 8 ) Cris Will Provide Inputs Required By Stqc In Time. If The Timely Inputs Are Not Provided, Then The Stqc Activities Will Be Rescheduled Accordingly. ( 9 ) Stqc Shall Ensure Timely Completion If Testing Activities As Per Plan And Submit The Deliverables. ( 10 ) In Case Of Discontinuation Of The Contract Due To Any Reason From Either Side Expressed In Writing, One Month Notice Period Shall Be Given Page 3 Of 4 Run Date / Time: 14 / 02 / 2024 13:11:40Procurement / Cris Tender Document Tender No 01245048 Closing Date / Time 28 / 02 / 2024 15:30 3 Delivery Period Condition -Stqc Will Provide Following Reports: ( 1 ) First No No Not Allowed Assessment Report:- An Observation Report Describing The Discovered Vulnerabilities, Weaknesses And Mis-Configurations With Recommended Actions For Risk Mitigation Will Be Submitted. ( 2 ) Final Assessment Report:- A Verification Audit Will Be Conducted After The Closure Of Issues Raised In First Assessment Report And Final Report Will Be Issued Stating The Status Of The Site After Closure. Delivery Schedule: ( 1 ) Within 2 Weeks To Initiate Work From The Date Of Placement Of Contract. ( 2 ) 4-6 Weeks From The Date Of Placement Of Contract For Completion Of First Assessment And Submission Of Reports Of First Assessment ( 3 ) Final Assessment Report Within 2-3 Weeks From Date Of Intimation For Closing Of Non-Compliance / Issues By Cris. 6. Documents Attached With Tender S.No. Document Name Document Description No Document Attached The Tenderers In Their Bid Shall Indicate The Details Of Their Gst Jurisdictional Assessing Officers ( Designation, Address & Email Id ) . In Case Of A Contract Award, A Copy Of Purchase Order Shall Be Immediately Forwarded By Purchaser To The Gst Jurisdictional Assessing Officer Mentioned In Tenderers Bid This Tender Complies With Public Procurement Policy ( Make In India ) Order 2017, Dated 15 / 06 / 2017, Issued By Department Of Industrial Promotion And Policy, Ministry Of Commerce, Circulated Vide Railway Board Letter No. 2015 / Rs ( G ) / 779 / 5 Dated 03 / 08 / 2017 And 27 / 12 / 2017 And Amendments / Revisions Thereof. As A Tender Inviting Authority, The Undersigned Has Ensured That The Issue Of This Tender Does Not Violate Provisions Of Gfr Regarding Procurement Through Gem. Digitally Signed By Amp-Iii ( Anil Rawat ) , Security Vulnerability Assessment Of Servers And Network Devices ( Va ) Hosting Ireps Application At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers 3 003 Service Non Stock --- Yes Consignee Inr ( Y ) Security Testing Of The Application For E-Auction, E-Reverse Auction And Contract Tracking, Udm Module At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers 3. T And C F.O.R Description Destination Page 1 Of 4 Run Date / Time: 14 / 02 / 2024 13:11:40Procurement / Cris , Security Testing Of The Application For E-Auction, E-Reverse Auction And Contract Tracking, Udm Module At ( Location ) Gm / Eps, Cris Delhi 1.00 Numbers

Refer document

Refer document

Refer document

Sl. No.	Item Description
1	Surveillance Assessment Of Indian Railway E-Procurement System (Ireps) Version V-7.10
2	Security Penetration(PT) Testing of the Application in production environment At (Location) GM/EPS, CRIS Delhi 1.00 Numbers 2 002 Service Non Stock --- Yes CONSIGNEE INR (Y) Security Vulnerability Assessment of Servers and Network devices(VA)hosting IREPS Application At (Location) GM/EPS, CRIS Delhi 1.00 Numbers 3 003 Service Non Stock --- Yes CONSIGNEE INR (Y) Security Testing of the application for e-Auction, e-Reverse Auction and Contract Tracking, UDM module At (Location) GM/EPS, CRIS Delhi 1.00 Numbers 3. T AND C F.O.R Description Destination Page 1 of 4 Run Date/Time: 14/02/2024 13:11:40PROCUREMENT/CRIS TENDER DOCUMENT Tender No 01245048 Closing Date/Time 28/02/2024 15:30 Delivery Period Description Delivery /Completion Rate of Supply For all items Completion : Within 42 Days --- Payment Terms S.No Description Payment Terms 1 1) All the payments will be made against respective GST invoice only. (2) 60% of the service charge plus applicable GST will be paid after receipt of first Assessment Report and the balance 40% will be paid after completion of assessment ( receipt of final Assessment Report) for which another Tax Invoice will be raised. (3) The applicable taxes will to be paid as per actual rate applicable during the payment. (4) Payment will be made through Non-Tax Receipt Portal (Bharat Kosh), of Govt. of India (https://bharatkosh.gov.in) by any of the modes available, followed by generation of Deposit / Pay in Slip from there OR through NEFT to your Bank Account. (5) GST Invoice will be raised after successful completion of first round of assessment. (6) Payment will be made within seven days of presentation of the invoice. (7) The responsibilityof their closures of the Audit observations lies with the customer. (8) In any case, the Payment should not be linked with the closures of the Assessment Observations, if any. (9) STQC-ERTL/ Laboratory is a Government of India Organization and hence, as per section 196 of Income Tax Act; Income Tax TDS is NOT applicable on us; GST invoice will be paid in FULL. (10) Receipt(s) of the payment generated from Non-Tax Receipt Portal (Bharat Kosh) of Govt. of India or NEFT may please be presented during collection of the final report. (https://bharatkosh.gov.in) has to be produced, while taking delivery of services (reports / certificates). (11) The life of the assessment project will end after three months from issuance of first Assessment Report. All closure actions of the security issues must be completed within this period. The lab shall issue the last and final Assessment Report, irrespective of all security issues are closed or not. If there are still open security issues even after three months of first assessment report and if the customer wants. Standard Governing Conditions S.No Description 1 As per CRIS eGCC including modifications if any. 4. ELIGIBILITY CONDITIONS Special Eligibility Criteria S.No. Description Confirmation Remarks Documents Required Allowed Uploading 1 NA Yes Yes Not Allowed 5. COMPLIANCE CONDITIONS Commercial-Compliance S.No. Description Confirmation Remarks Documents Required Allowed Uploading 1 Please enter the percentage of local content in the material being offered. No Yes Allowed Please enter 0 for fully imported items, and 100 for fully indigenous items. (Optional) The definition and calculation of local content shall be in accordance with the Make in India policy as incorporated in the tender conditions. Other Conditions S.No. Description Confirmation Remarks Documents Required Allowed Uploading Page 2 of 4 Run Date/Time: 14/02/2024 13:11:40PROCUREMENT/CRIS TENDER DOCUMENT Tender No 01245048 Closing Date/Time 28/02/2024 15:30 1 Annual Surveillance Assessment-II of Indian Railways e-Procurement No No Not Allowed System (IREPS) version V-7.1.0 comprises of e-tender, e-auction, Contract tracking and User Depot Module hosted at https://ireps.gov.in. Following Test will be conducted in the Surveillance Assessment-II. Penetration Testing: Penetration Testing (PT) will be done remotely from public domain (Internet) to find out exploitable vulnerabilities. No privilege access is required. Series of testing conducted like information gathering from public domain, port scanning, system fingerprinting, service probing, vulnerability scanning, manual testing, password cracking etc. using state- of-the-art tools (commercial and open source) and techniques used by hackers with a objective to unearth vulnerabilities and weaknesses of the IT infrastructure. The audit will be conducted remotely from STQC laboratory. Vulnerability Assessment: Collect information about the current security configuration of the hosts/devices by running script /system commands with highest privilege (e.g. root/administrator) or copying the system configuration files as appropriate. The running of the scripts/commands or copying of the configuration files will be done by the respective system administrators of the client organization. The script/command outputs or the copy of the configuration file have to be submitted to the STQC assessors for analysis and interpretation. The scripts/command details will be provided by the STQC assessors. Vulnerability Scanning of the hosts for finding the system/service vulnerabilities. The scanning will be done without using any user credentials or in non-privileged mode. The vulnerability scanning can be done remotely from STQC laboratory if suitable access is given to the hosts/devices through Internet or VPN. Web Application Security Assessment: The application will be audited to discover any vulnerabilities/weaknesses. Open Web Application Security Project (OWASP) guideline will be followed for this audi 2 (1)Consignee: GM-EPS/CRIS, 7th Floor ITPI Building, 4-A Ring Road IP Yes Yes Not Allowed Estate, New Delhi-02. (2)Details of the contact person- a) For Administrative purpose- Sh SAM NAQVI,GM/EPS,9559804576,sam.naqvi@cris.org.in b) For Technical aspects-I)Kaushlesh Kumar,Sr. Project Engineer,9953001994,kumar.kaushlesh@cris.org.in II) Sonu Singh Patel,Project Engineer,8130797608,patel.sonu@cris.org.in (3) Non- Disclosure Agreement (NDA) will be signed Between Consignee & Consigner. (4) The responsibilities and work assigned to STQC shall be as per scope of work. Any Change in work schedule shall be mutually agreed between customer & STQC. (5) Cost and schedule implications, if any due to change in the scope at any stage during execution, of the assignment, shall be reviewed and revised.( 6) CRIS will make necessary technical arrangement so that the IREPS Application is available for audit, remotely from Kolkata over Internet. (7) In order to complete the work as per schedule, CRIS shall ensure readiness of the system to be verified and timely provide the documentation and required information to STQC. (8) CRIS will provide inputs required by STQC in time. If the timely inputs are not provided, then the STQC activities will be rescheduled accordingly. (9) STQC shall ensure timely completion if testing activities as per plan and submit the deliverables. (10) In case of discontinuation of the contract due to any reason from either side expressed in writing, one month notice period shall be given Page 3 of 4 Run Date/Time: 14/02/2024 13:11:40PROCUREMENT/CRIS TENDER DOCUMENT Tender No 01245048 Closing Date/Time 28/02/2024 15:30 3 Delivery Period condition -STQC will provide following reports: (1) First No No Not Allowed Assessment Report:- An observation report describing the discovered vulnerabilities, weaknesses and mis-configurations with recommended actions for risk mitigation will be submitted. (2) Final Assessment Report:- A verification audit will be conducted after the closure of issues raised in first assessment report and final report will be issued stating the status of the site after closure. Delivery Schedule: (1) Within 2 weeks to initiate work from the date of placement of Contract. (2) 4-6 weeks from the date of placement of Contract for completion of first assessment and submission of reports of first assessment (3) Final Assessment Report within 2-3 weeks from date of intimation for closing of non-compliance/Issues by CRIS. 6. DOCUMENTS ATTACHED WITH TENDER S.No. Document Name Document Description No Document Attached The tenderers in their bid shall indicate the details of their GST Jurisdictional Assessing Officers (Designation, Address & email id). In case of a contract award, a copy of Purchase Order shall be immediately forwarded by Purchaser to the GST Jurisdictional assessing officer mentioned in Tenderers bid This tender complies with Public Procurement Policy (Make in India) Order 2017, dated 15/06/2017, issued by Department of Industrial Promotion and Policy, Ministry of Commerce, circulated vide Railway Board letter no. 2015/RS(G)/779/5 dated 03/08/2017 and 27/12/2017 and amendments/ revisions thereof. As a Tender Inviting Authority, the undersigned has ensured that the issue of this tender does not violate provisions of GFR regarding procurement through GeM. Digitally Signed By AMP-III ( ANIL RAWAT )
3	Security Vulnerability Assessment of Servers and Network devices(VA)hosting IREPS Application At (Location) GM/EPS, CRIS Delhi 1.00 Numbers 3 003 Service Non Stock --- Yes CONSIGNEE INR (Y) Security Testing of the application for e-Auction, e-Reverse Auction and Contract Tracking, UDM module At (Location) GM/EPS, CRIS Delhi 1.00 Numbers 3. T AND C F.O.R Description Destination Page 1 of 4 Run Date/Time: 14/02/2024 13:11:40PROCUREMENT/CRIS
4	Security Testing of the application for e-Auction, e-Reverse Auction and Contract Tracking, UDM module At (Location) GM/EPS, CRIS Delhi 1.00 Numbers