Skip to main content
Cyber Security

Responding to a Government RFP ? – how is your security ?

By June 20, 2020November 2nd, 2020No Comments
RFP Security Checks

A Request For Proposal or RFP generally represents a fantastic opportunity for a company.

It’s the chance to make the case that you have what it takes, and a good RFP can land a valuable contract—whether that’s from the government or another big business.

Software companies are among those commonly presented with RFPS by various governmental departments and other organisations. And while your company may be able to come up with a fantastic software solution that will do the job as intended, there are other considerations that come into play when preparing a stellar proposal.

For governmental agencies in particular, software used must comply with the NZISM (New Zealand Information Security Manual). In the majority of cases, a proposal will be much more appealing to the agency in question if it comes ready to meet all certification requirements, with no extra work to be done in this regard. Submitting proposals is a competitive business, and certification offers an extra edge.

Certification tools

If you are seeking to let an agency that has sent out an RFP know that using your proposed solution will meet security requirements, there are a few preparatory steps to take. We have outlined these below.

  1. Assess how your application meets the requirements of the NZ Secure Web Services Standard. That document can be found here, and purports to “provide a common validated approach to the security and privacy of secure Web services across government.”
  2. Download and complete the GCDO Cloud Security Questionnaire. Available here, this is a great tool to help agencies select cloud-based solutions for ICT projects. It makes a good guide for all cloud security considerations.
  3. Have your own company security policies/procedures and controls complete and ready to share (if required by the agency) for review.
  4. Complete the Consensus Assessment Initiative Questionnaire at Cloud Security Alliance, found here. This is an industry-accepted way for a provider to document security controls existing in services like IaaS (infrastructure as a service), PaaS (platform as a service), and SaaS (software as a service) tools. You can request to download the questionnaire at the provided link.

These specific action points aside, anything you can do to develop a robust security policy in your own operations will go a long way towards making your proposal appealing. This should cover questions of customer data, systems management, data security, authentication, access control, logging and monitoring, privileged accounts, and vulnerability management.

Additionally, it is a good idea to approach the agency and ask about any specific security requirements they would like the solution to meet. Basically, while certification will be undertaken by the agency, you should present a software solution that is as ready as it can be.

Expert advice

Responding to an RFP brings with it a deadline. Developing a quality software solution in limited time is tough, so it can be difficult to give much attention to the many security considerations.

For many companies, this is time to call in the experts. A company like CANDA which often undertakes certification with clients will have the skills to work with you to ensure that your software solution will be ready for certification, even in the very initial stages. If your proposal is accepted, it is then relatively smooth sailing to have the software certified and ready to operate securely.