Please not that insecure products, Solutions and Services lead to exposure to threats and cyber security, braches for procuring entities. Assuring cyber security as a feature of products and services and improving cyber security require ensuring of cyber security as a part of procurement which will also help in building cyber security culture. Building awareness in Govt agencies to adopt cyber security controls has a part of procurement of ICT products and services as well as engaging industry to put cyber security control requirements into practice is crucial for meeting the objective of assuring cyber security.
It is noted that many times various clauses and provisions and guidelines regarding Cyber Security requirements mandated by MeitY are not being incorporated while making procurements by Buyer organizations due to lack of awareness. In order to give inputs to the procuring authorities regarding these aspects Indian Computer Emergency Response team (CERT-In) as drafted discussion paper regarding including the cybersecurity control matrix for procurement of services and solutions by the Govt. organizations. This discussion paper contains cyber security control matrix for procurement of services and solution by government organizations. Control matrix include Governance and Policy, Confidentiality, Availability, Regulatory Complex, Audits and Situational awareness, Data Security, Application Security and Network Security. Discussion paper indicate specification and requirement of different controls as well as indicative methods for the verification for each control matrix. A copy of the discussion paper is enclosed herewith
All the organizations making procurement through GeM are hereby requested to take note of the discussion paper drafted by CERT-In on “Cyber Security Controls matrix for procurement of Services & Solutions by Government Organizations “. Letter with enclosure is as per Annexure.
It may be noted that procuring entities may select and include appropriate and applicable controls from the control matrix indicated in the discussion paper as a part of their procurement of ICT services and solutions. Procuring entities may also consider adding additional specific controls as per their risk profile and scope of services.
It may also be noted that adoption of cyber security controls by procuring entities in procurement process may be kept as voluntary (as best practices). However, after a year based on the outcomes and learning control may be mandated as a part of all ICT related procurement by Govt entities.
All the buyer organizations are requested to note the above for necessary action at their end. For further details regarding cyber security aspects websites of MeitY and CERT-In may also be referred.