National Consultant for review and testing of the Diia server infrastructure connectivity security settings
home based/”diia” soe office
Ukraine has made significant strides in digitalizing the state and its functions. Successes of the Prozorro system, implementation of the national interoperability system for state registries (Trembita), increasing the transparency of public sector through open-data initiative, development of digital public services under "State in smartphone" initiative are well-known and documented. The Ministry of Digital Transformation (MDT) created in 2019 aims to continue and expand this trend. Most recently, the Government-launched the "Diia.gov.ua" e-services delivery web-portal and its namesake mobile application. These digital products embody the newest trends of digitalisation for citizens.
With support from its partners, MDT aims to rapidly develop new and improved e-services that will offer an enjoyable and secure experience. Recently Ukraine saw the development and implementation of several high-profile e-services in different spheres – business registration, construction, birth related services (eMalyatko), and others. At the very end of 2020, MDT launched a mechanism for individual entrepreneurs to apply for state support in the most battered economic sectors. E-service expansion, especially throughout the COVID-19 pandemic, helps citizens get no-contact access to governmental services. Such services also cut state administrative costs, bringing about more transparency into government-citizen interactions and slashing petty corruption.
Rapid development of e-services poses new challenges – cybersecurity threats and risks of personal data leak. To address this challenges MDT is constantly working on improvement of the Diia infrastructure (data centre, a set of web-portals and mobile application) information security, organizes “Bug bounty” challenges and performs data protection audits. In august 2021 MDT launched second “Bug bounty” challenge for the Diia application, this bug bounty is the first public bug bounty launched by MDT.
On 1 January 2021, UNDP launched its new Digital, Inclusive, Accessible: Support to Digitalisation of State Services in Ukraine (DIA Support) Project. The project is made possible due to support of the Government of Sweden and is carried out in close collaboration with the Ministry of Digital Transformation of Ukraine (MDT) and other government stakeholders.
The project builds on extensive UNDP experience in two areas: administrative service reform and reengineering and digitalising public administration processes with broad citizen and expert engagement. As part of the project, UNDP will help the government partners – primarily MDT – select several service clusters in use by citizens representing vulnerable groups. Services will be packaged to accommodate everyday needs and transposed into a fully digital format. While working on creation of new digital services, the DIA Support Project will certify the software systems developed under Ukrainian regulations and in line with international cybersecurity practices.
Duties and Responsibilities
Objectives of the assignment
The main objective of the assignment is to review and test the Diia server infrastructure connectivity security settings and create recommendations of improvement of the settings and further automation of connectivity setting monitoring. The assignment has to be carried out under UNDP supervision in close coordination and cooperation with the MDT and the “Diia” SOE as a technical administrator of the Diia infrastructure.
Scope of services
It is expected that the Consultant will engage in the following types of activities:
- Review and testing of Diia data centre firewall settings:
- general firewall settings;
- internal firewall rules;
- external firewall rules;
- firewall rules for connection between data centres;
- accessible URLs for applications.
- Review and testing of Diia data centre VPN settings:
- general VPN settings;
- access levels settings;
- cryptography settings.
- Creation of recommendations for organizing of automatic testing and monitoring of firewall rules:
- Recommendation on tools to use;
- Recommendations on tool settings.
During the review and testing Diia data centre firewall and VPN settings, the Consultant have to perform practical testing of connectivity between all servers in the Diia server infrastructure (about 300 servers).
The resulting Firewall and VPN settings review and testing report should contain the following information:
- Testing results of connectivity and settings;
- What settings are good and do not require changes;
- What settings are weak and create risks for cybersecurity, how these settings should be changed;
- What settings are unreasonably tight and may be loosened, how these settings should be changed.
The report on recommendations for organizing of automatic testing and monitoring of firewall rules should contain the following information:
- Proposition and justification for tools that can be used;
- Recommendations on general settings for proposed tools.
The activates listed above will be performed on the Diia server infrastructure with the following technology stack:
- Operating systems: Centos, Ubuntu;
- Firewall: Nginx;
- VPN server: OpenVPN;
- Virtualisation: VmWare vSphere, NSX-T v3.1.
MDT (“Diia” SOE) will be responsible for providing secure access to the Diia server infrastructure for the Consultant.
The Consultant will sign non-disclosure agreement with MDT/“Diia” SOE to safeguard information on the results of the review and testing, on the Diia server infrastructure structure and on other technical information.
Measurable outputs of the work assignment/deliverables
Firewall and VPN settings review and testing report.
The draft of the report is to be approved by UNDP and MDT;
Within 35 working days after signing the Contract
Report on recommendations for organizing of automatic testing and monitoring of firewall rules.
The draft of the report is to be approved by UNDP and MDT;
Within 15 working days of completing Deliverable 1
The Consultant will be primarily responsible for achieving the objectives of the assignment. The Consultant will report to the Diia Support Project Manager and will work closely with Diia Support Project Senior IT Specialist, MDT and “Diia” SOE representatives.
The Consultant will be responsible for all personal administrative expenses associated with the assignment. In case any public events are planned jointly by the Consultant and UNDP as part of the present assignment, the Consultant will not be responsible for logistics of events. UNDP will cover the conference costs (including possible printing, food, accommodation and etc.) on its own.
Monitoring requirements / Terms of payment
The Consultant will work under the overall supervision of the Project Manager. The Consultant will interact with UNDP and MDT/”Diia” SOE to receive any clarifications and guidance that may be needed. The Consultant will duly inform UNDP of any problems, issues or delays arising in the course of implementation of the assignment and take necessary steps to address them.
UNDP will be the final authority to control the quality and evaluate the work. The satisfactory completion of each of the deliverables shall be subject to the endorsement of the Project Manager. Each deliverable will be delivered in a draft for comments and feedback before finalisation. No reports or documents should be published or distributed to third parties without the approval of UNDP.
All reports and results are to be submitted to the UNDP in electronic form (*.docx, *.xlsx, *.pptx, and *.pdf or other formats accepted by UNDP). The language of the materials and reports is Ukrainian. The final report (recommendations for organizing of automatic testing and monitoring of firewall rules) should be submitted to UNDP for comments and approval not later than 30 November 2021.
UNDP will provide payment upon provision of each deliverable duly certified by UNDP in accordance with the schedule below:
Deliverable 1. 70%
Deliverable 2. 30%
- Demonstrates integrity by modelling the UN’s values and ethical standards;
- Promotes the vision, mission, and strategic goals of UNDP;
- Displays cultural, gender, religion, race, nationality and age sensitivity and adaptability;
- Treats all people fairly without favouritism;
- Fulfils all obligations to gender sensitivity and zero tolerance for sexual harassment.
Required Skills and Experience
Required experience and qualifications
- At least university degree (Bachelor’s) in computer science, communication technologies, cybersecurity or related field;
- At least 5 years of experience in the field of cybersecurity or information system administration or IT infrastructure management;
- At least 2 years of experience of deployment or administration of communication equipment (Cisco, FortiNet or similar);
- Technical project documentation development experience, publications and articles on information security or communication technologies will be an asset;
- Fluent Ukrainian; working knowledge of English will be an asset;
?Documents to be included when submitting the proposal
Personal CV, including information about experience in similar projects / assignments, as well as the email and telephone contacts of at least three (3) professional references;
Financial proposal in line with information presented in Section 4. Measurable outputs of the work assignment/deliverables;
Duly accomplished Letter of Confirmation of Interest and Availability (template may be found at https://cutt.ly/Bzs6D4A);
Examples of at least 2 technical documents written by the applicant.
? Lump sum contract
The financial proposal shall specify a total lump sum amount, and payment terms around specific and measurable (qualitative and quantitative) deliverables (please, refer to Section 4 Measurable outputs of the work assignment/deliverables). Payments are based upon output, i.e. upon delivery of the services specified in the TOR. In order to assist the requesting unit in the comparison of financial proposals, the financial proposal will include a breakdown of Cost by Components.
- Educational background – 8 pts max
- 8 pts – Master or similar in computer science, communication technologies, cybersecurity or related field
- 6 pts –Bachelor’s in computer science, communication technologies, cybersecurity or related field.
- Experience in field of cybersecurity or information system administration or IT infrastructure managementy – 20 pts max
- 20 pts – 9+ years of experience;
- 17 pts – between 6 and 8 years of experience;
- 14 pts – at least 5 years of experience;
- Experience of deployment or administration of communication equipment (Cisco, FortiNet or similar) – 20 pts max
- 20 pts – 6+ years of experience;
- 17 pts – between 3 and 5 years of experience;
- 14 pts – at least 2 years of experience;
- Technical project documentation development experience, publications and articles on information security or communication technologies – 20 pts max
- 20 pts – Technical project documentation development experience, publications and articles on information security or communication technologies
- 14 pts – Technical project documentation development experience
- Language Skills – 2 pts max
- 2 pts – Native / fluent Ukrainian. Working knowledge of English;
- 1 pts – Native / fluent Ukrainian.
Maximum available technical score – 70 points
? Cumulative analysis
Contract award shall be made to the incumbent whose offer has been evaluated and determined as:
a) responsive/compliant/acceptable, and
b) having received the cumulative highest score out of a pre-determined set of weighted technical and financial criteria specific to the solicitation.
* Technical Criteria weight: 70%
* Financial Criteria weight: 30%
Only candidates obtaining a minimum 70% from the maximum available technical score (49 points) would be considered for the Financial Evaluation
The maximum number of points assigned to the financial proposal is allocated to the lowest price proposal and will equal to 30. All other price proposals will be evaluated and assigned points, as per below formula:
30 points [max points available for financial part] x [lowest of all evaluated offered prices among responsive offers] / [evaluated price].
The proposal obtaining the overall cumulatively highest score after adding the score of the technical proposal and the financial proposal will be considered as the most compliant offer and will be awarded a contract.