Professional Documents
Culture Documents
IRCON_FINAL_05082020
IRCON_FINAL_05082020
IRCON_FINAL_05082020
a) Provide Cloud Infrastructure Service for DC and DR for implementation of envisaged SAP system.
b) Provide MPLS connectivity from DC and DR cloud sites to the ENTITY Corporate Office - Delhi.
c) Provide internet bandwidth for accessing SAP S4HANA ERP by Project Offices in India and abroad.
e) Provide required Project Management, Training for Cloud Infra management, Go-Live and Hand Holding
support.
f) Operation & Maintenance (O&M) Support of the environment for total 4 years (1+3 years)
Please refer to the detailed scope of work section for more details on the scope.
Definitions
Customer: ENTITY, with it’s offices and project locations in India and abroad
Implementation Agency (“IA”): the company which has been selected for supply, implementation, upgrade and
integration and post implementation support of SAP S/4 HANA solution
Cloud Service Provider (“CSP”): A MeitY empaneled cloud service provider, participating in this bid directly.
Bidders are advised to go through this section thoroughly to ensure they understand the requirements
clearly. The requirements laid out here are minimum to the best understanding of the customer. Bidder’s
may offer any additional products, services or offerings over and above this, if required, to meet the overall
intended functionalities.
The “bidder”, “CSP” are interchangeably referred here for the party qualifying to the required eligibility
criteria as mentioned in this tender and bidding for this project. A Cloud Service Provider (“CSP”) Essential
qualifying criteria (EQC) and TQC(Technical Qualifying Criteria) as laid down in this tender may bid for this
project.
The bidder shall provide all required equipment, tools and resources which may not be specifically stated
herein, but required to meet intent of ensuring completeness, maintainability and reliability of the total
system covered under this specification.
SAP S4/HANA ERP solution shall be accessible from all locations of ENTITY, with envisaged response time and
other quality parameters as mentioned in "SLA" section.
The Cloud, where the planned ERP solution will be hosted should comply with basic design principles, like:
Scalability: The configuration of the Cloud is expected to have adequate upgrade capability in terms of
processors, RAM, disk storage etc. which should be achievable with minimum disruptions to running system/
processes at no additional cost to the ENTITY. Also, for any software upgrades, updates, patches etc. released
by the ERP OEM, the Cloud should be capable to implement the same seamlessly as and when it gets
released by the ERP OEM with no additional cost to ENTITY.
Reliability: The Cloud should be reliable to comply with the SLA requirements provided in the RFP and there
should not be any outages. Cloud platform should always run in redundancy/High Availability so that in case
of any outage system should automatically switch to the available servers.
Security: The Cloud should have highest level of security features against both physical as well as cyber
threats. It is critical to have a set of IT security management processes and tools to ensure complete cyber
security of ERP solution. An IT security policy, framework and operational guidelines as per ISO 27001 be
maintained by the Cloud service provider (CSP) as an overall guideline to all forms of IT security – Physical,
application, data, network and cloud. Production environment shall be hosted in different network/ VLAN
than other environments.
Manageability: The Cloud should be easily manageable from a management console/ over the Web.
Backup: Appropriate archiving system (i.e. SAN, optical backup equipment or better alternative etc.) to be
available on Cloud. Bidder has to archive yearly backup for complete contract duration. In the event of
serious failure, backed up data must be restored in quickest possible time to ensure continuity of the
services. Backup is required for all Servers Development and Production.
Desired Features of Work for the bidder/ CSP for hosting the application on Cloud is as follows-
Selected CSP shall be responsible for hosting the entire ERP application and all ancillary in-scope applications
on/ as per Government Community Cloud (GCC) from MeitY empaneled Cloud Service Providers (CSPs) only,
which are empaneled as on the last date of bid submission.
Selected bidder shall ensure that support and maintenance, performance and up-time levels are compliant
with SLAs as laid down in the SLA section. The bidder is responsible for sizing the Infrastructure to support
the scalability, redundancy, high availability, security and performance requirements of the ERP solution.
The Cloud Service Provider (CSP) shall provide cloud service at Data Centre having Tier 3 and above
certification and must be ISO 27001 Certified.
The Cloud service provider should meet any security requirements published (or to be published) by MeitY or
any standards body setup / recognized by Government of India from time to time and notified to the CSP by
MeitY as a mandatory standard.
Proposed cloud solution shall have required monitoring tools to assess performance of the application e.g.,
round trip time, latency, VM lifecycle , Bandwidth monitoring, security and billing etc.
Bidder shall make provision for servers, storage, backup, network, security and tools etc. infrastructure in the
cloud to meet the project requirements and as per the bill of material. The infrastructure shall be provisioned
with adequate redundancy / clustering for production environment and standalone for test and
development. Scope includes cost of all infrastructures, OS licenses, Virtualization or any other S/W licenses
required
Bidder shall create logical domains on servers to provision application, web-layer, database layer etc. Bidder
shall also use virtual machines wherever required to run the software.
Bidder shall configure the clustering required between production servers for application, web and database
layers as per the instructions of ENTITY/ IA.
Overall cloud environment thus created must meet uptime availability Services as per Service Level Agreement
i.e. 99.5% uptime of the environment.
Communication facilities like MPLS connectivity to the ENTITY Corporate Office, Internet based access
connectivity over VPN shall be provisioned as per the requirements mentioned in Bill of Material.
Bidder shall provision adequate backup media as per requirement for Backup and recovery policy for daily,
weekly, monthly, quarterly and yearly backup, and the data shall be retained as per data retention policy.
Bidder shall submit various MIS reports on daily, weekly and monthly basis as per agreed schedule, for
example- daily infrastructure utilization report. Schedule and formats of the reports will be finalized during
planning phase.
The successful Bidder shall have monitoring tools capable of providing the exact utilization of servers. The
Management tool shall provide personalized view into the performance and availability of the Cloud services.
Proposed cloud solution shall be truly elastic in nature and shall support scale up and down through provided
orchestration/ management portal. Additionally, the solution shall also support auto-scaling.
The bidder shall deploy sufficient manpower suitably qualified and experienced in shifts to meet the SLA
mentioned in this RFP
Bidder’s proposal shall cover 24x7x365 support for all the items supplied through this RFP, including all
Infrastructure- cloud instances, software, and tools etc via ticketing and on-call support through various
media like telephone, e-mail and chat. CSP shall rectify any issues within the timelines as specified in the SLA
and to ensure uptime availability of the solution as asked.
Any updates, upgrades in the proposed Infrastructure and software which are required during the tenure of
the contract are in scope of the bidder.
Bidder shall provide a management, orchestration and monitoring console to ENTITY for managing the
environment and for monitoring health, quality and security parameters of the setup.
The platform should provide a dashboard/portal for dashboard that allows users to request VM services, as
well as enables administrators to manage objects such as instances, images, quotas, storage volumes,
networks, security etc.
Proposed cloud solution shall support multiple Hypervisors
Portal should also provide administrators a dashboard to manage resources, access control for users, quotas
for users, etc. and shall support integration with LDAP/ directory services for user authentication
The CSP shall formulate an effective Back-up Strategy and Disaster Recovery Plan and take sign-off from ENTITY.
All servers will have a standard 3 * RAM (GB) as internal mirrored disks for OS, Kernel applications, SWAPs etc.
Disk space for Quality and Development system can be Disks mounted on servers or DAS or anything else
with minimum RAID 5 level configuration
Suitable Backup software and Infrastructure should be proposed - Backup is required at DC only, (e.g. Backup
server, SAN Backup Agents, Disk to disk backup is required)
DR Sizing- 50% of PRD DC sizing .
Total 10 public IPs required.
DR to be hosted in other/different Cloud DC in different seismic zone.
At Disaster Recovery site 50% of Production environment is required to be allocated. This application
environment at DR site shall be installed and ready for use without any additional software and Database
license cost implication on ENTITY.
During any outage including deletion of data, DR site will become the primary site and 100% data recovery
shall be ensured as per RPO and RTO defined in the RFP. The VMs at DR shall be initially created with minimal
configurations, and shall be spun with required images/ data mapping within the defined RPO and RTO.
Monitoring solution shall also provide dashboard view of RPO/ RTO.
The bidder shall carry out BCP/ DR drill twice in a year and submit a drill report to ENTITY.
Cloud should provide sufficient capacity in terms of data processing, data storage and network bandwidth to
handle the overall load and traffic coming to the ERP application without compromising the overall
performance of the system.
The CSP shall also ensure that the hosting services should be portable to another CSP (lift and shift) without
any changes to hosting environment. ENTITY retains the right to retrieve full copies of ENTITY Data residing
and all other information at any time during the project period from the selected cloud environment, and/or
shift the services to another cloud services provider.
The successful bidder should have capability for migrating S4 HANA ERP applications hosted on other Cloud
Service Provider’s environment to the cloud selected through this tender.
On expiry or termination of the contract, Bidder shall handover all the data in a standard and agreed format.
The data and images handed over shall be standard’s compliant and portable to other standard cloud service
provider or a physical infrastructure.
Cloud service provider shall provision required DNS services, public IPs, VPN Gateway, Web Gateway etc. to
ensure smooth end user experience and SLA driven delivery.
Cloud Service Provider shall be responsible for ensuring security of SAP applications and infrastructure from
any threats and vulnerabilities. The bidder shall ensure all provisions in place for a layered security approach,
like, HIPS, server AV, NIPS, 2 layers of firewalls, WAF, SSL encryption, IP Sec / SSL VPN, user authentication,
security logging and monitoring etc. to name a few.
To certify security posture of the implemented solution, the bidder shall get VAPT conducted by a 3rd party
CERT-In empaneled auditor of the cloud environment assigned for ENTITY. The frequency of audit of VAPT
will be once before go-live, and thereafter once in a year. Bidder needs to take necessary corrective actions
based on the auditor’s report and findings, without any additional cost to ENTITY.
Additionally, ENTITY shall have rights to conduct VA-PT tests on designated infrastructure, directly or
through a 3rd party security auditor.
Solution shall provide logs of all user activity within CSP account including actions taken through mgmt.
Console, command line tools, and any other services.
System shall prevent IP Spoofing. Cloud service should not permit an instance to send traffic with a source IP
or MAC address other than its own IP.
Solution shall have required mechanism in place for encryption of data in motion and data at rest. The
solution shall include required TLS/ SSL certificates.
The SAP system should be deployed on SAP certified hardware on cloud infrastructure.
ENTITY is looking for an IaaS solution. CSP may provide hosting services with suitable type of infrastructure as
required for the solution.
The bidder shall address all the errors/bugs/gaps in the functionality offered by the proposed solution at no
additional cost during the operations & maintenance period (i.e 4years from date of LOI and LOA). The bidder
shall identify and resolve application problems like system malfunctions, performance problems, data
corruption etc. due to which the ERP solution is not able to give the desired performance. Performance
means infra related because of which performance of ERP applications is getting affected.
CSP shall offer DC-DR cloud services with their Data Centre location within India only. All the physical servers,
storage and other IT hardware from where cloud resources are provisioned for ENTITY must be within Indian
Data Centre only. CSP shall ensure that ENTITY data resides within India only. All monitoring, provisioning,
should be within India and 100% isolated from other regions outside India, if in case CSP has Global presence.
Items shown in red font are to be procured through this RFP. This RFP document covers tentative sizing
recommendations for these items. Bidder shall ensure to include all products & services to meet the solution
requirements.
A. Number of Users-
C. Environments-
a. Development,
b. Quality, and
c. Production
E. Database- HANA DB and MaxDB as suggested by SAP and IA for different modules
Note: 30 minutes of RPO, implying permissible loss of data for the said duration, will be ensured by
replication services from DC to DR scheduled at every 30 minutes’ interval
Indicative backup and retention policy is as follows. CSP will come up with an appropriate strategy
during design and implementation
Backup Daily backup Weekly Backup (Incremental) Monthly Full
Policy (Incremental) 8 Backup
Hours
Application
File Server
Note: 1st installation and configuration of SAN, require complete data backup from
server and the mandatory backup time as per data capacity.
CHAPTER 7: Cloud DC/DR Security Recommendations
The infrastructure Security architecture that has been conceived by ENTITY is detailed keeping in mind the
application layout, domain requirements, quick deployment means, business availability and an integrated
management and monitoring platform. The application layout and its tight integration with the Infrastructure
security layout form the baseline whereas the eminent threats towards the business being hosted and type
of application-hosted forms the advanced design fundamentals.
The below diagram depicts the expected overall high level security architecture to be deployed by the CSP at
its DC and DR Data centers, however the CSP can recommend / optimize the same as per their standards
which still meets the requirements.
Some of the recommendations for security as follows (CSP may have different approaches to address the
security requirements, however in essence the solution shall meet end to end security objectives)-
Security
No. Security Requirements
Domains
The CSP needs to propose a customized approach on the IT Security
Standards Policy and Framework addressing the unique requirements of
ENTITY for the proposed solution and application environments.
IT Security Key deliverables of ISMS implementation would be defining security policies
Standards and procedures documentation, controls implementation as per ISMS,
1
Policy and applicable ISO standards, MeitY guidelines and other applicable standards/
Framework guidelines for cloud.
The CSP is required to provide the risk assessment methodology in
performing the above phased activities and brief on the report that will be
submitted for ENTITY review.
Server Security should provide comprehensive protection, deployed on
physical servers and security for virtual machines, and should include:
o Anti-Malware
Server
2 o State full Firewall
Security
o Deep Packet Inspection / Intrusion detection and prevention (IDS/IPS) 1
o Application Control
o Log inspection
All web tier, app tier and backend tier traffic to flow through these Firewalls.
Next
All branch traffic should flow through Intranet Firewall.
Generation
All mobile and laptop based internet traffic should flow through Internet
3 Network
Firewall.
Firewalls
SAP Web Dispatcher and Reverse Proxy to be hosted behind internet Firewall
SAP Fiori and EP to be hosted behind intranet Firewall
Security
No. Security Requirements
Domains
Appropriate throughput firewall to be considered for internet facing and
intranet facing segments
Anti-ransomware shall be part of the solution.
CSP should provide VPN client for remote users who access the applications
through VPN client (50 users will required for the VPN connection).
Web Application Firewall is desirable before the Web Servers to protect
them from application attacks like cross site scripting, SQL injection etc.
CSP shall have anti-DDOS solutions in place to protect from any DDOS attacks
For data at rest i.e. backup, the backup solution should support encryption.
So while doing backup, data should be encrypted.
Other
4 For the data, which is residing at database level should also be encrypted.
Suggestions
The DB encryption should be end to end (Application to the DB)
SSL certificate to be proposed for application level encryption of data and
web communication
CSP shall have security incident response and management process in place.
CSP shall support Vulnerability assessment and penetration testing services.
CSP shall allow audit, review, and testing by ENTITY or its authorized partner
for its hosted environment space.
Web Any files, attachments or code are scrubbed with WAF built-in antivirus and
Application antimalware services. Solution should review all requests that have passed
Firewalls the tests for known attacks. If the request is outside of user or automatic
8
(WAF) parameters, the request should be blocked.
WAF to provide a correlation engine where multiple events from different
security layers are correlated to make a more accurate decision and shall
help protect against the most sophisticated attacks. This combination
should provide near-100% protection from any web application attack,
including zero day threats that signature file-based systems can’t detect.
WAF appliance to be placed on the traffic stream between the client and
the web application acting as a reverse proxy.
Connections to the web application are intercepted and inspected against
the configured policies and profiles before being forwarded to the DMZ
servers (Web dispatcher and Reverse Proxy)
Incoming traffic to be modified, blocked or logged.
• DMZ will have dedicated switches to facilitate isolated network from core
internal zone
• DMZ is to be used for assets that are externally shared (either publicly or
to 3rd parties). This includes Traffic originating from untrusted parties
such as the Internet.
Remote Location to DC/DR Connectivity
Remote locations- ENTITY branches, other subsidiary locations etc. will connect to the DC and DR over
MPLS/internet network.
Branch locations will have proper local IT infrastructure, including desktops/laptops, peripherals (printer,
scanner etc., robust high available network, and security solutions.
A significant lot of users will connect to the DC/ DR over Internet through mobile devices/ onsite workstations.
The response time is usually split into wait time plus execution time. The SAP response time consists of the
following components:
Response time = wait time + execution time
where: execution time =Generation time during the run
Load time for programs, screens, and graphical user interfaces
Roll times for rolling in the work data
ABAP processing time
Database time
Enqueue time for logical SAP lock processes
CPIC/RFC time
Roll wait time (excluding task types RFC/CPIC/ALE).
In addition to the cloud solution for the details mentioned above, bidder shall also quote for-
Project Timelines
All the servers as per sizing details and BOM should be configured and handed over to ENTITY within 2 months
of placing the Purchase order/Agreement which ever is earlier.
CHAPTER 8: Landscape
Overall Design Considerations
• No single point of failure at production environment DC & DR
• Active & Passive setup between DC & DR
• 3 tier architecture – Web, App & DB
• Physical segregation of servers between the tiers
• Production in Hardware high availability state
• DR prod at 50% of DC prod
• HA not required at DR
• DC with Prod & Non-Prod.
8.1. Landscape for SAP S4 HANA ERP
An indicative Landscape for SAP S4 HANA ERP has been mentioned as below:
On HANA DB On Max DB
Sr.No. SAP Solutions Sr.No. SAP Solutions
1 SAP S/4HANA (BPC,CM, CPM, AM) 1 SAP Content Server
2 SAP BW4HANA
3 SAP Enable Now
4 SAP Business Objects
5 SAP Enterprise Portal (ESS)
6 SAP Solution Manager
7 SAP Fiori Frontend Server
8 SAP Process Orchestration
9 SAP GRC
10 SAP LSO
Important Instructions:-
Please provide cost, line item-wise, for 4 years. Cost shall include implementation and comprehensive
support.
This sheet covers sizing of envisaged SAP DB and associated application servers. CSP to include any
additional item/ services to meet overall solution requirements
Security- Please include necessary security solutions (e.g.- Firewalls, anti-DDoS, AV/ HIPS, IPS/IDS etc.).
VAPT of yearly interval shall be included.
Operating System- Windows Server 2012/16 for DMS , Router and Enable Now servers, SUSE Linux 12- for
all other instances. ( Version of OS software mentioned are bare minimum, Latest version Shall be quoted)
For S/4HANA Database (QA and Prod.) - Consider incremental growth as- 50% of mentioned Sizing in 1st
year, 75% in 2nd and 3rd year, and 100% afterwards (4th year). (Pay as you go Model based on SAP Sizing)
For all other component- propose best fit HANA DB instances/ virtual machines as the case may be,
for mentioned sizing from day-1
HA/ clustering- shall be considered as mentioned in the list below, consider minimum 2 instances wherever
HA/clustering is required.
DR- DR shall be considered for production environment. CSP may offer thin provisioning/ minimal
configuration VMs as appropriate at DR for cost optimization
RTO/RPO- Solution shall meet RTO/RPO of 4 hours and 30 minutes respectively. Solution shall be uptime
availability of minimum 99.5%
Helpdesk and Managed Services- Solution shall be comprehensive in nature with all required managed
services and helpdesk covered in CSP scope for the complete solution offered by CSP.
16
SAP Process Orchestration Server 3000 48 400
NOTE:- Scope of CSP is not limited upto this BoM only , ENTITY can add or remove resources as per actual requirement/performance
basis Biddder may add additional lines in CSP sizing BOM to show any item.
The bill of material shown above is minimum. Bidder must assess the requirements diligently and propose
the cloud resources accordingly.
It shall be noted that the bill of material and commercials will be evaluated based on quoted price for 4 years.
However, payments will be done on quarterly basis, on actual usage.
The CSP shall ensure below mentioned requirements while provisioning the Cloud solution for the User Department are met.
1. Provisioning of virtual machines, storage and bandwidth dynamically (or on-demand) on a self-service
mode or as requested.
2. Enable Service Provisioning via Application Programming Interface (API).
3. Secure provisioning, de-provisioning and administering [such as Secure Sockets Layer
(SSL)/Transport Layer Security (TLS) or Secure Shell (SSH)]
4. Support the terms of service requirement of terminating the service at any
time (on- demand).
5. Portal provisioned for the User Departments by the CSP shall also contain the following information:
a. Service Level Agreements (SLAs)
b. Help Desk and Technical Support
c. Resources (Technical Documentation, Articles/Tutorials, etc.).
6. The CSP shall carry out the capacity planning and do the Infrastructure sizing for the User Department
to identify & provision, where necessary, the additional capacity to meet the user growth and / or the peak
load requirements to support the scalability and performance requirements of the solution. There should not
be any constraints on the services.
7. The CSP shall ensure that the effective Remote Management features exist so that issues are addressed
by the CSP in a timely and effective manner.
8. Service Provisioning shall be available with two-factor / multi factor authentication via the
SSL through a web browser.
b) Operational Management
1. The CSP shall ensure that technology refresh cycles are conducted from time to time to meet the
performance requirements and SLAs. The management of network, storage, server, and virtualization layers,
platforms as included by CSP as part of their service offerings etc. shall be complete responsibility of CSP
during the technology refresh cycle.
2. The CSP shall provide a secure, dual factor / multi-factor method of remote access which allows the
Government Department designated personnel (privileged users) the ability to perform duties on the hosted
infrastructure.
3. The CSP shall ensure that Infrastructure is upgraded periodically without any financial impact to the
Government Department(s).
4. The applications / data hosted within the CSP environment shall be immediately deleted/destroyed and
certify the VM and data destruction to the Government Department as per stipulations and shall ensure that
the data cannot be forensically recovered.
5. CSP shall ensure that patch management is performed from time to time or as & when required. CSP
shall alert the User Department in advance of any installation of patches via e-mail and cloud portal.
6. Patch management for OS security patches shall be responsibility of the CSP.
7. CSP shall ensure that all OS images created within the Cloud platform are regularly patched with the
latest security updates.
8. CSP shall monitor availability of the servers, system software’s and its network.
9. CSP shall investigate outages, perform appropriate corrective action to restore the
Infrastructure, software, operating system, and related tools.
10. CSP shall ensure that technology and hardware upgrades of their IT Infrastructure are done before end of
product life cycle and warranty.
11. CSP shall ensure that the software required by the User Department are provided with
latest version. However, if required by the User Department, the operating system and
database may be provisioned with not more than two version old.
c) Data Management
1. CSP shall enforce security controls and policies to secure data from unauthorized access in a multi-tenant
environment
2. CSP shall provide tools and mechanisms to the Government Department or its appointed agency for
defining its backup requirements & policy. The backup policy which is defined and implemented shall be an
automated process and backups should be taken on different mediums.
3. The CSP shall provide tools and mechanisms to the Government Department or
its appointed agency for configuring, scheduling, performing and managing back-ups and
restore activities (when required) of all the data including but not limited to files, folders, images, system
state, databases and enterprise applications in an encrypted manner as per the defined policy.
4. CSP shall be liable to transfer data back in-house or any other Cloud /
physical environment as required by the User Department, either on demand or in case of contract or order
termination for any reason.
5. CSP shall not delete any data at the end of the agreement (for a maximum of 45 days beyond the
expiry of the Agreement) without the express approval of the Government Department.
6. CSP shall ensure minimum 128-bit encryption is used for handling data at rest and in transit.
7. The CSP shall be responsible for deleting or otherwise securing Government Department’s
Content/Data prior to VM deletion and in case deleted, shall ensure that the data cannot be forensically
recovered when the Government Department or CSP (with prior approval of the Government Department)
scales down the services.
2. Incident Management
a. Provide Incident Management and Ticketing via web-based portal (tools) for any
incident occurrence during the operations.
b. CSP shall follow and adhere to latest ITIL V3 guidelines and process for the Incident management and
Problem management.
c. CSP shall provide a mechanism to carry out regular health check on Department provisioned cloud
infrastructure and facilitate download of the health check report as per the frequency identified/set by the
User Department.
d. For all Incidents / Issues with Severity ‘Critical and High’, the CSP Incident
Management Team shall be activated to provide resolution as per defined SLA’s by the User Department and
closure of the Incident. The teams shall be responsible to send an Incident Report on daily basis or as
desired by User Department for all such Incidents to all the stake holders including designated officials by
the department.
e. For any re-occurring issue, the Problem Management Process shall be initiated, and problem ticket
shall be created for the same. After permanent resolution of the re- occurring issue / Problem, the Problem
Ticket report should be sent across to all the stake holders.
e) Integration Requirements
Provide support to all Application Programming Interfaces (APIs) including REST API that CSP
develops/provides.
1. The CSP shall ensure that Local Area Network (LAN) does not impede data transmission.
2. Provide a redundant local area network (LAN) infrastructure and static IP addresses from
customer IP pool or “private” non-internet routable addresses from CSP pool.
3. Ability to deploy VMs in multiple security zones as required for the project, defined by network
isolation layers in the Customer’s local network topology.
4. Provide access to Wide Area Network (WAN).
5. Provide private connectivity between a Government Department’s network and Data Center
Facilities.
6. IP Addressing:
Provide IP address assignment, including Dynamic Host Configuration Protocol
(DHCP).
Provide IP address and IP port assignment on external network interfaces.
Provide dedicated virtual private network (VPN) connectivity.
g) Backup Services
1. The CSP shall configure, schedule and manage backups of all the data including but not limited to files,
folders, images, system state, databases and enterprise applications as per the policy defined by MeitY or
the Government Department.
2. The CSP shall be responsible for file system and database backup and restore services.
3. The CSP shall be responsible for back up of virtual machines, storage volumes, file systems,and
databases within the CSP’s own Cloud environment.
4. The CSP shall be responsible for monitoring, reporting, notifications/alerts &
incident management, backup storage, scheduling & retention, restoration, backup data protection, etc.
5. The backup solution shall support retention period of minimum 30 days or as desired by the
User Department as per their needs.
6. The backup solution offered by CSP shall support granular recovery of virtual machines, database
servers, Active Directory including AD objects, etc. Government Organization should be able to recover
individual files, complete folders, entire drive, or complete system to source machine or any other machine
available in network.
7. The backup service must provide following capabilities:
Compression: Support compression of data at source before
backup Encryption: Support at least 128-bit encryption at source
Alert: Support email notification on backup job’s success / failure
File exclusion: Ability to exclude specific files, folders or file extensions from backup
Deduplication: Provide deduplication capabilities
1. The CSP shall ensure that the cloud storage services are made available online, on-demand, and
dynamically scalable up or down as per request from the end users (Government Department or
Government Department’s nominated agencies) with two-factor authentication via the SSL through a web
browser.
2. The CSP shall provide scalable, redundant and dynamic storage facility.
3. The CSP shall provide users with the ability to add / remove storage with two-factor authentication via
the SSL through Cloud management portal and manage storage capabilities remotely via the SSL VPN clients
as against the public internet.
k) Security Requirements
1. The CSP shall be responsible for provisioning, securing, monitoring and maintaining the Infrastructure,
network(s), and software that supports the infrastructure and present Virtual Machines (VMs) and IT
resources to the Government Department..
2. The Data Center Facility of the CSP shall at minimum implement the security
toolset: Security & Data Privacy (Data & Network Security including Anti-Virus, Virtual Firewall, Multi Factor
Authentication, VPN, IPS, Log Analyzer / Syslog, SSL, DDoS Protection, HIDS/ NIDS, Rights Management,
SIEM, Integrated Vulnerability Assessment, SOC, Private Virtual Zones, Data Privacy, Data Encryption,
Certifications & Compliance, Authentication & Authorization, and Auditing & Accounting)
3. The CSP shall ensure that they comply to Cloud Security ISO Standard ISO 27017:2015
4. The CSP shall ensure that they comply to Cloud Security ISO Standard Privacy Standard ISO 27018:2019.
5. Meet any security requirements published (or to be published) by MeitY or any standards body setup
/ recognized by Government of India from time to time and notified to the CSP by MeitY as a mandatory
standard.
6. MeitY and Government Department reserves the right to verify the security test results. In case of the
Government Community Cloud, MeitY and Government Department reserves the right to verify the
infrastructure.
7. Implement industry standard storage strategies and controls for securing data in the Storage
Area Network so that clients are restricted to their allocated storage.
8. Ability to create non-production environments and segregate (in a different VLAN) non- production
environments from the production environment such that the users of the environments are in separate
networks.
9. Cloud Offerings should have built-in user-level controls and administrator logs
for transparency and audit control.
10. Cloud Platform should be protected by fully-managed Intrusion detection system
using signature, protocol, and anomaly-based inspection, thus providing network intrusion detection
monitoring.
11. Cloud Platform should provide Edge-to-Edge security, visibility and carrier-class threat management
and remediation against security hazards like Denial of Service (DoS) and Distributed Denial of Service
(DDoS) attacks, botnets, etc. Also, shall provide protection against network issues such as traffic and routing
instability.
12. Cloud Platform should provide Web Application Filter for OWASP Top 10 protection as a service that
can be enabled for Government Departments that require such a service.
13. Access to Government Department provisioned servers on the Cloud should be through SSL VPN
clients only as against the public internet.
14. CSP shall allow audits of all administrator activities performed by Government Department and allow
Government Department to download copies of these logs in CSV or any other desired format.
15. Maintain the security features described below, investigate incidents detected, undertake corrective
action, and report to Government Department, as appropriate.
16. CSP shall deploy and update commercial anti-malware tools (for systems using Microsoft operating
systems), investigate incidents, and undertake remedial action necessary to restore servers
and operating systems to operation.
17. CSP shall provide consolidated view of the availability, integrity and consistency of the
Web/App/DB tiers.
18. CSP shall ensure that password policies adhere to security requirements as defined by
CERT-IN.
19. CSP shall ensure that all GoI IT Security standards, policies, and reporting requirements are met.
20. CSP shall meet and comply with all GoI IT Security Policies and all applicable
GoI standards and guidelines, other Government-wide laws and regulations for protection and security of
Information Technology.
21. CSP shall generally and substantially and in good faith follow GoI guidelines and CERT-In and MeitY
Security guidance. Where there are no procedural guides, generally accepted industry best practices for IT
security shall be used by the CSP.
22. Information systems must be assessed whenever there is a significant change to the system’s
security posture.
23. MeitY or MeitY appointed 3rd party shall conduct regular independent third-party assessments of the
CSP’s security controls to determine the extent to which security controls are implemented correctly,
operating as intended and producing the desired outcome with respect to meeting security requirements
and submit the results to MeitY and User Department.
24. In case CSP has industry standard certifications (assessed by a Third Party Auditor) that verify
compliance against the security requirements of the application document, SLA & MSA, results, relevant
reports, certifications may be provided with evidence along with the mapping of the industry standard
certification controls against the application document requirements. However, if there are any
requirements that do not fall under the industry standard certifications, the CSP shall get the Third Party
Auditor to assess the conformance to the requirements.
25. MeitY reserves the right to perform Penetration Test. If MeitY exercises this right, the CSP shall allow
MeitY’s designated third party auditors to conduct activities to include control reviews that include but are
not limited to operating system vulnerability scanning, web application scanning and database scanning of
applicable systems that support the processing, transportation, storage, or security of Department’s
information. This includes the general support system infrastructure.
26. CSP shall ensure that Identified gaps are tracked for mitigation in a Plan of
Action document.
27. CSP shall be responsible for mitigating all security risks found and continuous monitoring activities. All
high-risk vulnerabilities must be mitigated within 30 days and all moderate risk vulnerabilities must
be mitigated within 90 days from the date vulnerabilities are formally identified. The
Government will determine the risk rating of vulnerabilities.
1. Provide a robust, fault tolerant infrastructure with enterprise grade SLAs with an assured uptime of
99.5%, SLA measured at the VM Level & SLA measured at the Storage Levels.
2. Service Availability (Measured as Total Uptime Hours / Total Hours within the Month)
displayed as a percentage of availability up to one-tenth of a percent (e.g. 99.5%).
3. Within a month of a major outage occurrence resulting in greater than 1-hour
of unscheduled downtime. Describe the outage including description of root-cause and fix.
4. Service provisioning and de-provisioning times (scale up and down) in near real-
time should be as per the SLA requirement of the Government Department. The provisioning / de-
provisioning SLAs may differ for the different Cloud Deployment Models.
5. Helpdesk and Technical support services to include system maintenance windows.
6. CSP shall implement the monitoring system including any additional tools required for measuring and
monitoring each of the Service Levels as per the SLA between the Government
Department and the CSP.
SLA Response Time and SLA Performance Metrics and related penalty
Priority 1 (Critical) The system cannot be used for 30 Minutes Resolved within 90
normal business activities. There is Minutes
certainty of financial loss to the
company.
Priority 2 (High) There is a problem with part of the 1 Hour Resolved within 4 Hours
system, which impacts on the
company’s decision making. No
viable workaround is available.
There is a likelihood of financial
loss.
Priority 3 (Medium) The efficiency of users is being 4 Hours Resolved within 2 days
impacted, but has a viable
workaround.
Priority 4 (Low) A low impact problem that affects 5 Hours Resolved within 5 days
the efficiency of users but has a
simple workaround.
Priority 2 (High) The High defects shall be resolved within 4 Hours from the time of
reporting full details. This service level will be monitored on a monthly
basis. For calculation of penalty, the company will calculate the
number of violations by the successful bidder over the Quarter. The
calculation will be done as per the following table:
%defects resolved within No of Violations considered
4Hours
<=100% &>=95% 0
<95% &>=90% 1
<90% &>=85% 2
<85% 3
Priority 3 (Medium) The Medium defects shall be resolved within 2 days from the time of
reporting full details. This service level will be monitored on a monthly
basis. For calculation of penalty, the company will calculate the
number of violations by the successful bidder over the Quarter. The
calculation will be done as per the following table:
%defects resolved within No of Violations considered
2Days
<=100% &>=95% 0
<95% &>=90% 1
<90% &>=85% 2
<85% 3
Note: 1. Monthly performance evaluation will be conducted by the Company.
2. Penalty Calculations - The framework for Penalties, as a result of not meeting the Service Level Targets is as
follows:
a) The performance will be measured monthly for each of the defined service level metric against the
minimum/target service level requirements and the violations will be calculated accordingly.
b) The number of violations in the reporting period for each level of severity will be added and used for the
calculation of Penalties.
c) Penalty applicable for each of the Critical, High, & Medium severity violations is INR 10,000 (INR Ten
thousand) per violation.
d) For violation calculation every month, the defects closing date in that particular month will be considered
Commencement of SLA: The SLA shall commence from implementation period itself for
adherence to the implementation plan. The penalty will be deducted from the next
payment milestone during the implementation period. During the O & M period, the
penalty will be deducted from the next payments due.
C)Disaster Recovery
Sr. Parameter Target Penalty
No
1. RTO <= 2 hours Rs. 10,000 per additional hour of
delay subject to a maximum delay
of 10 hours, post which ENTITY
may invoke annulment of the
contract.
2. RPO <= 30 min The key Rs. 10,000 per additional block of
transaction data shall have 30 minutes subject to a maximum
delay of 5 hours, post which
RPO of 15 minutes
ENTITY may invoke annulment of
the contract.
3. Mock Drill □ To be Rs. 5000 for delay of each week
conducted every 6 subject to a maximum of 10% o
contract value.
months
□ Successful switch over and
operation of application
4. Recovery of T weeks, where T is the time Rs. 5,000 for delay of each week
period mutually agreed subject to a maximum of 10% o
data lost
between ENTITY and CSP for contract value.
during
the 100% recovery of lost
disaster
data
K)Miscellaneous Factors
Type Measurement Penalty
Help desk Weekly per project Cloud Service provider
functioning SLA should prepare and
implement the help desk
100% as per
plan as per ENTITY’s
requirement
modules within one month
timelines
from the date of starting of
contract failing to which
penalty of 0.1% of the yearly
contract value per
week/part thereof for first
two weeks, 0.20% of yearly
contract value per
week/part thereof for every
subsequent week.
Scheduled downtime Per Occurrence Rs. (1, 00,000) per occurrence
for System for unscheduled downtime or
Maintenance per scheduled downtimes
exceeding the specified
Week <= 2 times per
metric.
month
Maximum penalty can be up to 10 % of the contract cost, post which ENTITY may invoke
annulment of the contract.
□ The down time will be calculated on monthly basis. Non-adherence to any of the services
as mentioned below will lead to penalty as per the SLA clause and will be used to calculate
downtime. The downtime calculated shall not include thefollowing
□ Down time due to hardware/software and application which is owned by ENTITY at their
premises
□ Negligence or other conduct of ENTITY or its agents, including a failure or malfunction
resulting from applications or services provided by ENTITY or its vendors.
□ Failure or malfunction of any equipment or services not provided by the Bidder.
However, it is the responsibility/ onus of the selected Bidder to prove that the
outage is attributable to ENTITY. The selected Bidder shall obtain the proof
authenticated by ENTITY’s officialthattheoutage is attributableto ENTITY.
□ The Agency shall deploy sufficient manpower suitably qualified and experienced in shifts to
meet the SLA. Agency shall appoint as many team members as deemed fit by them, to
meet the time Schedule and SLA requirements.
SLA Exclusions: The time lost due to any of the following causes shall not be included in calculating “Resolution
Time”:
a. Time taken for scheduled maintenance/troubleshooting (including backup and restore times) either for
preventive purposes or improvement in function or other purposes.
c. Scheduled shutdowns as required by the company. The successful bidder may also request the company for a
shutdown for maintenance purpose, which request will not be denied unreasonably by the company.
e. Time taken to get approval from all stakeholders for the exclusive availability of system for support activities
where the prospective solutions can be tested prior to promotion into production.
g. Time taken by the third-party vendors and service providers for fixing a product related fault/defect,
replacement of part(s), or responding to clarifications.
In the event, the company’s users are not defining the support category/severities, the successful bidder’s team
will analyse the problem and will set appropriate support category/severity to the problem. In case if the
successful bidders support team does not agree with support category/severity defined by the company’s user
then all such disagreements will be discussed with Project Manager from the company.
CHAPTER 10: Commercial Bid Format
Product Description
One Recurring Charges
Time
Charges Year Y Y Y Tota
1 e e e l
a a a
r r r
2 3 4
SAP Cloud DC infrastructure
SAP Cloud infrastructure (Compute,
Hypervisor, OS, Storage, Software’s, Tools
Networking and security etc. as per the
scope mentioned in RFP)
Bidder is required to quote for all items required for complete solution, under the applicable line items in price BOM.
The bill of material shown above is minimum. Bidder must assess the requirements diligently and propose
the cloud resources accordingly. It shall be noted that the bill of material and commercials will be evaluated
based on quoted price for 4 years. However, payments will be done on quarterly basis, on actual usage.
Note:
In technical proposal, the attached format in technical BOM has to used without prices.
Inclusive of GST will be at actual.
Correction of Error
Bidders are advised to exercise adequate care in quoting the prices. No excuse for corrections in the
quoted figures will be entertained after the proposals are submitted to ENTITY. All corrections, if any,
should be initialed by the person signing the proposal form before submission, failing which the figures
for such items may not be considered.
1. In case of discrepancy between the amounts mentioned in figures and in words, the amount in words
shall govern.
2. In case of discrepancy between the cost quoted in the pricing summary sheet for a component and the
total cost provided for the component in the detailed cost break up sheet, the detailed cost break up
sheet for the component will be considered.
3. In case of discrepancy between the total price given for a line item / component and the calculated total
price (number of units multiplied by the cost per unit for that line item), the total price given for a line
item / component will be considered.
4. The amount stated in the commercial proposal, adjusted in accordance with the above procedure, shall
be considered as binding, unless it causes the overall proposal price to rise, in which case the proposal
price shall govern.
5. The amount stated in the Commercial proposal will be adjusted by ENTITY in accordance with the above
procedure for the correction of errors and shall be considered as binding upon the Bidder. If the Bidder
does not accept the corrected amount of Financial Proposal, its Proposal will be rejected and EMD of the
bidder will be forfeited.
6. No adjustment of the price quoted in the Commercial proposal shall be made on account of any
variations in costs of labour and materials, currency exchange fluctuations with IN. currency or any other
cost component affecting the total cost in fulfilling the obligations under the agreement. No clauses for
price fluctuations due to fluctuation of the Indian currency against any of foreign currency will be
accepted during the period of the agreement.
7. All costs incurred due to delay of any sort, shall be borne by the Bidder.
8. ENTITY reserves the right to ask the Bidder to submit proof of payment against any of the taxes, duties,
levies indicated within specified time frames.
9. ENTITY reserves the right to ask the Bidder to submit analysis of rate and data sheet for the rates quoted
in the Commercial bid by the bidder
10. If the price for any of the services is not explicitly quoted in the commercial bid or mentioned as zero, it
is assumed that the price for that particular element is absorbed in some other service element for
which a price has been quoted, and ENTITY has the right to source services for which no price was
quoted or quoted as zero, at no additional price.
11. If taxes or any other applicable charges are not indicated explicitly, they are assumed to be bundled
within the prices quoted and unbundling of these charges will not be entertained either during
evaluation or while signing the agreement.
The commercial bid should be provided per the formats below this RFP.
Commercial bid of a bidder will be declared non-responsive if the bidder has proposed components in
the price bid which are different from the solution as mentioned in the technical bid.
Only those bidders whose technical bids have been found substantially responsive would be intimated
by ENTITY about their responsiveness. The Commercial bids would then be opened in the presence of
the bidders' representatives on a specified date and time to be intimated to the respective bidders. The
bidder names, the bid prices, the total amount of each bid and such other details as ENTITY may
consider appropriate, will be announced and recorded at the opening.
All the technically qualified bidders will be notified to participate in Commercial Bid opening process.
The commercial bids for the technically qualified bidders will then be opened on the notified date and
time and reviewed to determine whether the commercial bids are substantially responsive. Bids that are
not substantially responsive are liable to be disqualified at ENTITY’s discretion. The L1 vendor with total
cost of SAP 4 HANA ERP as per landscape for 4years will be calculated.
The bid price will include all taxes and levies and shall be in Indian Rupees and mentioned separately.
Any conditional bid would be rejected.
The Bidder has to quote the rate in the BoQ Spreadsheet available online with this bid. Details to be
filled up for price bid are as below.
The fees shall be inclusive of GST, Income Tax, duties, fees, levies, charges, and commissions as
applicable under the relevant Laws of India. Should there be a change in applicable taxes, the actual
taxes on the date of billing would prevail.
Note:
1. The bidders may visit the site and obtain additional information at their own cost and responsibility.
2. In case Go-Live/Roll-out is advanced or delayed, payment will be on actuals and the corresponding operations
and maintenance phase will start after the Roll-out is completed.
3. All the prices are to be entered in Indian Rupees ONLY.
4. Prices indicated in the schedules shall be inclusive of all taxes, Levies, duties etc. It is mandatory to provide
breakup of all Taxes, Duties and Levies.
5. During the payment stage, ENTITY reserves the right to ask the Bidder to submit proof of payment against any
of the taxes, duties, levies indicated.
6. The Bidder needs to account for all Out of Pocket expenses due to Boarding, Lodging and other related
items. No additional/separate payment shall be made regarding the same.
7. For the purpose of evaluation of Commercial Bids, ENTITY shall make appropriate assumptions to arrive at a
common bid price for all the Bidders. This however shall have no co-relation with the Contract value or actual
payment to be made to theBidder.
8. The Contract Price shall be firm and not subject to any alteration.
9. The CSP shall be deemed to have satisfied itself as to the correctness and sufficiency of the contract price,
which shall, except as otherwise provided for in the contract, cover all its obligations under the contract.
10. All payments shall be made for the corresponding goods or services actually delivered, installed, or
operationally accepted, per the Contract Implementation Schedule, at unit prices and in the currencies
specified in the CommercialBids.
CHAPTER 11: Reporting Services
11.1 Testing Requirements for CSP
Following cloud resource deployment/provisioning, the testing of the same at Cloud site
becomes very important. Therefore, the Cloud Service provider must perform following
testing:
□ Infrastructure testing - The bidder should perform various testing procedures listed
below on infrastructure (server, storage and network infrastructure) provided at Cloud
site.
o VM testing
o Storage/Disk IO testing
o Network throughput testing
o CPU and RAM benchmarkingtesting
o Read/Write latency testing
□ Data Integrity Testing, Reverse Replication Testing and Switch over testing: The Cloud
Service provider will facilitate ENTITY to carry out these testing, whenever required.
Deliverables listed below should be accessible via online interface not later than 10 days
after the end of the calendar month and available for up to one year after creation. The
information shall be available in format approved by Meity. The CSP shall monitor and
maintain the stated service levels as agreed in the Service Level Agreement. The CSP should
configure their tool to track and monitor the SLA and the same system generated SLA
reports should be submitted along with the invoice for payment.
Cloud Service provider shall submit the reports on a regular basis in a mutually decided
format. The Cloud Service provider shall workout the formats for the MIS reports and get
these approved by ENTITY within a month of being awarded the contract. The following is
only an indicative list of MIS reports that may be submitted to ENTITY:
The Cloud Cloud Service provider’s services offerings should be audited and certified by
STQC/MeitY.
The Cloud Service provider’s services offerings shall comply with the audit requirements
defined under the terms and conditions of the Provisional Empanelment of the Cloud Cloud
Service providers (or STQC /MEITY guidelines as and when published).
The Audit, Access and Reporting Requirements should be as per the terms and conditions of
the Provisional Empanelment of the Cloud Service provider .
The Cloud Service provider shall conduct vulnerability and penetration test (from a third
party testing agency which may be empaneled) on the proposed Cloud solution once
before go-live and once every year and reports should be shared. The Cloud Service provider
needs to update the system in response to any adverse findings in the report, without any
additional cost to ENTITY. ENTITY may also depute auditors to conduct security check/
vulnerability test/penetration test.
Additionally, the Cloud Service provider shall ensure all newly deployed Infrastructure is in
compliant with all applicable regulatory requirements and is SAP HANA Certified, and with
ENTITY quality standards including ENTITY IT policies.
6.3.3 Co-ordination, co-operation and support to /from present cloud Service provider of
ENTITY
During all phases of the project, the CSP shall have coordination and full cooperation with
Cloud server provider of ENTITY for Data Migration of existing ENTITY SAP systems to new
SAP HANA Systems.
The Cloud Service provider shall support the team of ENTITY for the following activities:
• Co-ordinating issues for timely resolution.
• Knowledge Transfer of all activities performed by the Cloud Service provider as part of
installation, configuration, setup, operate and maintain.
• Development environment is hosted at a GCC Cloud currently. Bidder to consider any
coordination required for migration of Development environment from current CSP to its
own environment.
1.Continuity and performance of the Services at all times including the duration of the
Agreement and post expiry of the Agreement is a critical requirement of ENTITY. It is the
prime responsibility of CSP to ensure continuity of service at all times of the Agreement
including exit management period and in no way any facility/service shall be
affected/degraded. Further, CSP is also responsible for all activities required to train and
transfer the knowledge to the Replacement Agency (or ENTITY) to ensure similar continuity
and performance of the Services post expiry of the Agreement.
2.At the end of the contract period or upon termination of contract, CSP is required to
provide necessary handholding and transition support to ensure the continuity and
performance of the Services to the complete satisfaction of ENTITY.
3.CSP shall support ENTITY in migration of the VMs, data, content and any other assets
to the new environment created by ENTITY or any Agency on alternate cloud Cloud
Service provider ’s offerings to enable successful deployment and running of ENTITY’s
solution on the new infrastructure. CSP shall certify the VM, Content and data
destruction to ENTITY as per stipulations and shall ensure that the data cannot be
forensically recovered. CSP shall have the responsibility to support and assist ENTITY till
the Department is able to successfully deploy and access the services from the new
environment.
4.CSP shall not delete any data at the end of the agreement (for a maximum of 45 days
beyond the expiry of the Agreement) without the express approval of ENTITY.
5.During the exit/transition management process, it is the responsibility of the CSP to
address and rectify the problems with respect to migration of the Department
application and related IT infrastructure including installation/reinstallation of the
system software etc.
6.The ownership of the data generated upon usage of the system, at any point of time
during the contract or expiry or termination of the contract, shall rest absolutely with
ENTITY.
7.During the contract period, the CSP shall ensure that all the documentation required
by ENTITY for smooth transition including configuration documents are kept up to date
and all such documentation is handed over to ENTITY during the exit management
process.
All deliverables will be deemed to have been completed only after approval of authorized personnel of ENTITY. The
tasks that are provided in this document and under “Deliverables” are to be performed by the CSP in such a manner
that it will not affect the Project Schedule. The CSP shall adhere to the above time schedule for timely and successful
completion of the Project and submit the acceptance to this time schedule.
ABBREVIATIONS