Request for Proposal (RFP) for Selection of Agency for Cloud Management Office (CMO)

Transcription

1 Request for Proposal (RFP) for Selection of Agency for Cloud Management Office (CMO) Department of Information Technology Electronics Niketan, 6, CGO Complex New Delhi XXXX September 2015 Page 1 of 91

2 This Page is Intentionally Left Blank Page 2 of 91

3 Contents GLOSSARY BACKGROUND PURPOSE OF THE RFP RFP ISSUING AUTHORITY TENTATIVE CALENDAR OF EVENTS SCOPE OF WORK DELIVERABLE PREPARATION METHODOLOGY GOVERNANCE STRUCTURE AND ACCEPTANCE OF DELIVERABLES RESOURCE REQUIREMENTS PROJECT TIMELINES PAYMENT SCHEDULE INSTRUCTIONS TO BIDDERS PROCESS OF EVALUATION GENERAL CONDITIONS ANNEXURE DOMAINS & CRITICAL AREAS TO BE ADDRESSED ANNEXURE PRE-QUALIFICATION CRITERIA ANNEXURE FORM FOR SUBMISSION OF PREQUALIFICATION INFORMATION ANNEXURE METHODOLOGY FOR EVALUATION OF TECHNICAL PROPOSAL ANNEXURE FORM FOR SUBMISSION OF TECHNICAL BID ANNEXURE FORM FOR SUBMISSION OF FINANCIAL BID ANNEXURE REQUEST FOR CLARIFICATION FORMAT ANNEXURE RFP RESPONSE COVER LETTER ANNEXURE UNDERTAKING ON ABSENCE OF CONFLICT OF INTEREST ANNEXURE FORMAT FOR PREVIOUS PROJECT EXPERIENCE ANNEXURE FORMAT FOR PROFILE SUMMARY & PROFILES ANNEXURE FORMAT FOR EARNEST MONEY DEPOSIT (EMD) Page 3 of 91

4 This Page is Intentionally Left Blank Page 4 of 91

5 Glossary Acronym Full Form Page 5 of 91

6 This Page is Intentionally Left Blank Page 6 of 91

7 1. Background MeghRaj Policy of Government of India Cloud Computing Services provide the new model of offering services (including IaaS, PaaS and SaaS) to the users at fast pace which is also cost effective. In order to utilize and harness the benefits of Cloud Computing, Government of India has embarked upon a very ambitious and important initiative GI Cloud which has been coined as MeghRaj. The focus of this initiative is to evolve a strategy and implement various components including governance mechanism to ensure proliferation of Cloud in government. DeitY has announced MeghRaj Policy to provide strategic direction for adoption of cloud services by the Government ( The aim of the cloud policy is to realize a comprehensive vision of a government private cloud environment available for use by central and state government line departments, districts and municipalities to accelerate their ICT-enabled service improvements. MeghRaj policy of Deity states that Government departments at the Centre and States to first evaluate the option of using the GI Cloud for implementation of all new projects funded by the government. Existing applications, services and projects may be evaluated to assess whether they should migrate to the GI Cloud. As per the MeghRaj policy, it is proposed to: a. Setup GI Cloud: GI Cloud, Government of India s cloud computing environment, will be a set of discrete cloud computing environments spread across multiple locations, built on existing or new (augmented) infrastructure, following a set of common protocols, guidelines and standards issued by the Government of India. The GI Cloud services will be published through a GI Cloud Services Directory. The GI Cloud environment is envisaged to be initially established building on the infrastructure investments already made or augmentation of the same by the creation of discrete cloud computing environments at the national and state levels termed as National Clouds and State Page 7 of 91

8 Clouds respectively. Based on the demand and taking into account security related considerations, government proposes to engage the services of private cloud providers. b. Create egov AppStore: egov AppStore will include the setting up of a common platform on National Clouds to host and run applications, developed by government agencies or private players, which are easily customisable and configurable for reuse by various government agencies or departments at the central and state levels without investing effort in the development of such applications. c. Publish through GI Cloud Services Directory: The GI Cloud services and the applications in egov AppStore will be published through a single GI Cloud Services Directory for use by government departments or agencies at the Centre and States. Implementation Strategy Implementing the MeghRaj Policy to realize the GI Cloud Services and facilitate adoption of GI Cloud services by the end user departments requires multi-pronged approach. a. Identification of the relevant Standards and development of the required guidelines Below diagram provides the high-level view of the cloud ecosystem with the various actors along with the indicative roles. Page 8 of 91

9 The cloud providers would require the common standards & guidelines on the security, interoperability, data portability, SLAs, contractual terms & conditions, service definitions that they would need to adhere to in order to be part of the GI Cloud environment. From a cloud consumer perspective, the consumers would require guidelines on selecting a cloud service provider within the GI Cloud Services Directory, guidelines on integrating the cloud services with the internal IT systems and the recommended contractual terms & conditions along with the service levels that will have to be executed between the cloud consumer and the cloud service provider. The below diagram depicts the need for various guidelines / standards from the stakeholder perspective. Page 9 of 91

10 In order to realize the policy and facilitate cloud services adoption by the Center and States, there is a need to define the GI Cloud Reference Architecture, identify the common standards and service definitions; develop guidelines with respect to security, service delivery, interoperability and portability that the cloud service providers (CSPs) will have to adhere to, for the departments to leverage cloud services. b. Facilitate Setting up of GI Cloud Once the standards and guidelines are published, the Cloud Service Providers will need to get accredited by DeitY to become part of the GI Cloud. The accreditation of offered cloud services will require certification of compliance to the published standards and guidelines. It is expected that the audit of cloud services to verify the compliance will be carried out by the cloud auditors. The cloud auditors will be accredited / empaneled through an accreditation / empanelment process and will have to adhere to the audit guidelines that will be published by DeitY. Page 10 of 91

11 c. Capacity Building of the end-user departments There is a key need to create the awareness of these initiatives in the user departments, showcase the advantages of migrating to cloud services and ways to address the potential risks for faster adoption of the policy. The departments will also need considerable handholding support in navigating the applicable standards & guidelines and migrating to the cloud services. Further, the capacity building initiatives need to be taken up at the department level to enhance the capabilities of the department to procure & manage the contracts with the cloud service providers. Cloud Management Office (CMO) To facilitate the implementation of the MeghRaj policy and realize its vision, DeitY proposes to setup a Cloud Management Office (CMO) that will take a lead role in operationalizing the cloud initiative. CMO will help in setting up of an ecosystem for GI Cloud leading to faster implementation of the cloud policy to realize the intended benefits of GI Cloud. The end objective of the CMO is to facilitate publishing of GI Cloud services through a single GI Cloud Services Directory and enable end user government departments, both at the Centre and States, leverage the cloud services. Page 11 of 91

12 Cloud Management Office (CMO) - Concept of Operations Architecture Management Group (AMG) Reference Architecture, Standards, Specifications and Frameworks Auditor Accreditation Guidelines & Processes (CSP Offerings / SaaS Offerings) CSP / SaaS Offering Accreditation Guidelines & Processes Guidelines, Model SLAs and Model Contracts Training Curriculum, Content and Plan CSP / SaaS Offerings Provider Start Select Accredited Auditor SaaS, CSP Auditors Start Apply for Accreditation Audit CSP Offerings & SaaS Offerings for adherence to Standards.& Processes Submit for verification E & AG Verify the credentials of the prospective Auditor as per Guidelines Verify the Audit Findings Recommend for Accreditation Recommend for Accreditation DeitY Accredits Auditors End Accredits the SaaS Offerings & CSP Offerings GI Cloud Portal and Directory Agency Add SaaS Offerings and CSP Offerings to GI Cloud Directory End Central / State Depts. Start View the details of CSP Offerings & SaaS Offerings in the Directory Select CSP Offerings and SaaS Offerings Apply Model SLAs, Model Contracts etc. End While under the overall architecture, the Cloud Management Office (CMO) will operate across three verticals, the responsibility of the Agency selected under this RFP will be a subset of activities as indicated below: 1. Architecture Management Group (AMG) with the responsibility of Identification of the relevant Standards, Develop Specifications & Frameworks and Formulate the required guidelines. Responsibility of the Agency selected under this RFP: All the above activities Page 12 of 91

13 2. Empanelment and Accreditation Group (E&AG) with the responsibility of accreditation the Cloud Auditors and Accreditation of Services offered by the Cloud Service Providers. E&AG will assist in overall program management of the cloud initiatives in DeitY and more importantly assisting in operationalizing the accreditation processes for the auditors, offerings of cloud service providers and offerings from SaaS providers. Responsibility of the Agency selected under this RFP: Preparation of guidelines, RFPs, contracts and other artifacts required for the accreditation / empanelment of cloud & SaaS auditors and accreditation of services offered by cloud service providers. Deity will undertake the Accreditation process as a separate activity. 3. Capacity Building & Advisory Services Group (CB&AG) with the responsibility of creating awareness about the cloud initiative and assisting the end user departments in migrating to the GI Cloud. Responsibility of the Agency selected under this RFP: Preparation of training material, artifacts and delivery of training to the trainers. Deity will undertake the delivery of training and advisory services to the end user departments as a separate activity. CMO will also support DietY in overall coordination and monitoring the progress of the cloud related initiatives including GI Cloud environment, egov Appstore, and GI Cloud Services Directory. Page 13 of 91

14 2. Purpose of the RFP The primary purpose of this RFP is to enable DeitY to select an Agency that acts as the Cloud Management Office (CMO) and carries out the activities envisaged for the CMO. The details of the assignment, scope of work, evaluation process are outlined in the sections below. The RFP is not an offer by DeitY but an invitation to receive proposals from eligible and interested bidders in respect of the above-mentioned project. The RFP does not commit DeitY to enter into a binding agreement in respect of the project with the potential bidders. Potential bidders are henceforth referred to as Bidders in this document. Page 14 of 91

15 3. RFP Issuing Authority This RFP is issued by the DeitY to the bidders and is intended to select the Agency for setting up Cloud Management Office (CMO). DeitY s decision with regard to the selection of bidders through this RFP shall be final and the DeitY reserves the right to reject any or all the bids without assigning any reason. S. No. Item Description 1 Project Title Selection of Agency for Cloud Management Office (CMO) 2 Project Initiator / RFP Issuer Details Department Department of Electronics and Information Technology (DeitY) Contact Person Contact Person (Alternate) Address for all Bid Correspondence Address for the purpose of Bid Submission DeitY Website Kshitij Kushagra Scientist D/Joint Director Department of Information Technology Electronics Niketan, 6, CGO Complex New Delhi Tel: Uma Chauhan Scientist F/ Director Department of Information Technology Electronics Niketan, 6, CGO Complex New Delhi Tel: XXXXXXX( ID) Kshitij Kushagra Scientist D/Joint Director Department of Information Technology Electronics Niketan, 6, CGO Complex New Delhi Tel: Page 15 of 91

16 4. Tentative Calendar of Events The following table enlists important milestones and timelines for completion of bidding activities: S. No Milestone Date and time 1 Release of Request For Proposal (RFP) XXX 2015 (T0) 2 Last date for submission of written questions by bidders XXX 2015 (T0+8d) 3 Pre- Bid Conference XXX 2015 (T0 + 10d) 4 Date of Issue of Clarifications XXX 2015 (T0+15d) 5 Last date for Submission of bids XXX 2015; 16:00 hours (T0+6 weeks) 6 Opening of Tech Bids XXX 2015; 16:30 hours (T0+6 weeks) 7 Opening of Financial bids To be informed later Page 16 of 91

17 5. Scope of Work The overview of the scope of work of the Agency as the Cloud Management Office (CMO) is given below: 1. Identification of the relevant Standards; Development of Specifications; Creation of Frameworks; and Formulation of the required guidelines 2. Designing the Accreditation Strategies, Processes, Templates, RFPs and MSAs for accreditation of the Cloud & SaaS Auditors and Offerings of the Cloud Service Providers and SaaS Providers 3. Developing Capacity Building Curriculum, Content & Artifacts 4. Support DeitY and End User Departments While the broad scope, as per the current understanding, is elaborated in this section, it is envisaged that requirements for new deliverables such as new standards, frameworks, guidelines, training artifacts will be discovered as the policy gets implemented on ground. The Agency, under the role of CMO, will take up the new deliverables that fall within its original objective of assisting DeitY in realization of the below mentioned project outcomes at no additional cost to DeitY. 1. Enabling of GI Cloud Directory enabled with various accredited cloud services offerings from Private Cloud Service Providers, PSU Cloud Service Providers, State & National Government Cloud Services 2. Frameworks, Guidelines and Training Artifacts available for the end user departments to evaluate, procure, migrate and leverage cloud services DeitY will re-prioritize the planned deliverables / work items so that the new deliverables can be taken up within the same overall effort. Refer to the Section 9: Project Timelines for the quarterly deliverable plan. The operationalization of the accreditation processes & implementation of the capacity building programs & advisory services is out of scope for the Agency. Page 17 of 91

18 Work Item 1: Definition of the Services / Standardization of the Nomenclature of Cloud Service Offerings The objective of this work item is to enable standardization of the nomenclature of various service offerings across the end user departments and the cloud service providers offering services to government departments. As per the MeghRaj Policy, Government of India has adopted the National Institute of Standards and Technology s (NIST) definition of cloud computing including the essential characteristics, service models, and deployment models as defined by NIST. Any other services / service offerings that are not defined under NIST need to be defined with the objective of standardization. The scope of the Agency under this work item includes: 1. Comprehensive listing of service offerings of the cloud service providers along with the details of the offerings in consultation with the cloud service providers 2. Adopted definition of each of the Services (beyond the ones defined under NIST) from the widely accepted definitions from global standards agencies / institutes 3. Create a standard listing of the service offerings to enable creating a common service catalogue 4. Background note providing the list of different services, available definitions from the different standards organization and details of the analysis 5. End-user guide for easier understanding of the definitions Work Item 2: Prioritization of the Cloud Service Offerings There are multiple offerings of a Cloud Service Providers that include IaaS, PaaS, SaaS, Disaster Recovery-as-a-Service (DRaaS), Testing-as-a-Service, Security-as-a-Service, Storageas-a-Service,. The objective of this Work Item is to prioritize the cloud service offerings to enable identify & publish the standards / specifications / guidelines for highest priority / highest demand cloud service offerings at the earliest to facilitate faster adoption of the cloud services by the end user departments. Page 18 of 91

19 The scope of the Agency under this work item includes: 1. Background note detailing the summary of consultations with the DeitY and key stakeholders to assess the needs of the end-user departments and assist in prioritization through 1 2 workshops that will be facilitated by DeitY. 2. Prioritized & Phasing of the cloud service offerings for which the standards, specifications, guidelines have to be developed in the first phase Once the highest priority / highest demand cloud service offerings are addressed in the first phase, the remaining ones shall be addressed in a phased manner. Work Item 3: Detailing the GI Cloud Reference Architecture GI cloud reference architecture is required to standardize on the nomenclature of terms, various actors and their roles & responsibilities in the GI cloud ecosystem. As indicated earlier, Government of India has adopted the Conceptual Reference Model of National Institute of Standards and Technology s (NIST). The objective of this work item is to further elaborate and expand the reference architecture to suit the requirements of GI Cloud. In case it is found appropriate to adopt a new reference architecture (other than NIST reference architecture), the same need to be recommended for adoption with full justification in consultation with DeitY. The scope of the Agency under this work item includes: 1. Study & Analysis of the available reference architectures (e.g., NIST, CSA, ) widely used / adopted for cloud computing domain 2. Background note providing the underlying analysis of the various reference architectures studies to arrive at the recommendations 3. Recommendation on the GI Cloud Reference Architecture detailing to the micro level 4. End-user guide for easier understanding of the reference architecture 5. Development of a clickable map/chart providing details of all components, so that it can be used for reporting of status of individual deliverables Page 19 of 91

20 Indicative References that may be studied for better understanding of the work item: i. Standards Developing Organizations and Industry Bodies such as NIST, CSA, ii. iii. Major OEMs such as IBM, Intel, HP, Microsoft, Major CSPs that publish their own reference architecture Work Item 4: Risk & Security Assessment and Decision Framework Different departments deal with data of varying sensitivity. Some of the data (personal identifiable information, payment details,..) may need to be managed as per the applicable Indian Government s Laws & Regulations. Similarly, the security requirements of the departments may also vary and are amenable for categorization into pre-defined categories. Once the risk & security profile of the application is assessed, the department needs to understand the available options of the cloud services that may be leveraged for their set of applications / data. The available options may be classified (indicative only) on the following: 1. Nature of cloud service offerings (public, private, community, hybrid); 2. Ownership of cloud service providers (Private, PSU, Government, Own); 3. Operational control of cloud services (Private, PSU, Government, Own); 4. Level of control / responsibilities of cloud services shared between the cloud consumer and cloud service provider (least to complete control); and 5. Location of data (within India, on-premises, off-premises). The objectives of this Work Item are: 1. Standardize the business impact / risk & security levels to enable departments adopt uniform terminology 2. Provide frameworks and tools to enable departments to a. Assess the risk & security profile of their applications / data / services for cloud adoption / migration and b. Understand the available options of the cloud services that may be leveraged for their set of applications / data Page 20 of 91

21 The scope of the Agency under this work item includes: 1. Study of the existing standardization of the risk levels adopted in different countries to understand the various prevalent risk levels. The team also need to consult with Cert-In, Data Security Council of India (DSCI), National Critical Information Infrastructure Protection Center (NCIIPC), NTRO and study the IT Act (including its amendments), National Cyber Security Policy, and other relevant Acts & Policies for formulating the recommendations. Meetings for the same shall be facilitated by DeitY. 2. Study the applicable Indian Laws & Regulations as well as the Foreign Regulations (e.g., US PATRIOT Act, ) that may become applicable on the adoption of cloud services 3. Recommendation on the Standardization of Business Impact / Risk and Security Levels 4. Framework for assessing the risk & security profile (as per the standardized risk levels) of any given application / service / data being considering for adoption / migration to cloud 5. Framework for assessing the available options of the cloud services (nature of cloud service offerings; nature of cloud service providers; and location of data) that may be leveraged for a given risk & security levels 6. Tool for end user to navigate through the frameworks developed above with a set of questions & answers 7. Background note providing the various risk levels adopted in other countries, relevant inputs from the stakeholder discussions, inputs considered from applicable Acts & Policies and details of the underlying analysis & justification of the developed frameworks & tools 8. End-user guide with scenarios / examples for easier understanding of the risk & security levels 9. End-user guides with scenarios / examples for easier understanding of the frameworks and tools needs to be prepared The existing frameworks & tools available with DeitY may be studied while developing the new frameworks and guidelines. Page 21 of 91

22 Indicative References that may be studied for better understanding of the work item: i. Similar frameworks developed by US (e.g., FedRAMP, NIST,..), UK (e.g., Extract from HMG IA Standard No. 1 Business Impact Level Tables), EU (e.g., Moving to Cloud (A white paper produced by the Cloud Computing Use Cases Discussion Group)), Singapore (e.g, Multi-Tier Cloud Security), ii. Similar frameworks developed by Industry Bodies / Associations and major OEMs Work Item 5: Identify the domains & critical areas where Standards have to be identified and Specifications / Model Frameworks / Templates / Guidelines are to be developed The indicative domains and areas where Standards have to identified and Specifications, Model Frameworks, Templates, Guidelines have to be developed are listed under Annexure I. The GI Cloud Reference Architecture may be used as a baseline for identifying the various domains. The scope of the Agency under this work item includes: 1. Comprehensively identify all the domains (e.g., functional, non-functional, technical, security, operational, legal,..), sub-domains and critical areas relevant to cloud computing 2. Create a matrix identifying how each domain would be addressed, i.e., whether the domain would require one or more of: Standards / Specifications / Model Frameworks / Templates along with the nature of the framework / template. It is expected that some of the domains would require a multi-pronged approach. For example, data lifecycle may have to be addressed through defining specifications as well as appropriate terms within a Service Level Agreement and Master Services Agreement. This is a pre-requisite for identification of the standards or development of necessary specifications, frameworks and templates. Since the underlying domains are ever evolving, the identified domains needs to be revised on a semi-annual (or periodic) basis. Page 22 of 91

23 Indicative References that may be studied for better understanding of the work item: i. Domains and Sub-Domains listed under the various Reference Architectures need to be studied ii. iii. Security: a. Australia (Cloud Computing Security Considerations) b. Australia (Information Security Principles) c. EU (Cloud Certification Schemes Metaframework) d. Singapore (Mul-Tier Cloud Security) e. Singapore (CSA-MTCS Gap Analysis, Audit Checklist) f. Singapore (ISO Gap Analysis, Audit Checklist) g. Singapore (ISO Gap Analysis, Audit Checklist) h. UK (Cloud Security Guidance: IaaS Consumer Guide) i. UK (Implementing the Cloud Security Principles) j. US (FISMA) k. US (FIPS) l. US (Template and Process Quick Guide) m. US (An Introductory Resource Guide for Implementing the HIPAA Security Rule) n. US (FedRAMP Security Controls & Templates) o. US (NIST Guidelines on Security and Privacy in Public Cloud Computing) p. US (NIST Guide to NIST Information Security Documents) q. US (Continuous Monitoring Strategy & Guide) r. US (Cloud Computing Security Requirements for DoD / Governments (U.S)) s. PCI (Information Supplement: PCI DSS Cloud Computing Guidelines) t. CSA (CCM Info Sheet & CAIQ Info Sheet) u. CSA (Security Considerations for Private versus Public Clouds) v. CSA (Security Guidance for Critical Areas of Focus in Cloud Computing) Privacy: a. Australia (Privacy and cloud computing for Australian Government Agencies Better Practice Guide) b. Australia (Better Practice Checklist Privacy and Cloud Computing for Page 23 of 91

24 Australian Government Agencies) c. CSA (Privacy Level Agreement Outline for the sale of cloud services in European Union) d. US (NIST Guidelines on Security and Privacy in Public Cloud Computing) e. US (Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies) iv. Legal: a. Australia (Negotiating the cloud - legal issues in cloud computing agreements) b. EU (Cloud Contracts Expert Group) c. UK (Contract Terms and Conditions for Eduserv Cloud Computing) d. US (FedRAMP Standard Contract Language) e. US (Creating Effective Cloud Computing Contracts for the Federal Government) v. Miscellaneous a. Australia (Community Cloud Governance An Australian Government Perspective - Better Practice Guide) b. Australia (Cloud Computing Strategic Direction Paper) c. Australia (Records Management and the Cloud - Checklist) d. Australia (Financial Considerations for government use of cloud computing) e. EU (Code of Conduct Expert Group) f. EU (Review of the European Data Protection Directive) g. EU (SLA Expert Group) h. Singapore (Guidelines on Outsourcing) i. US (NIST - Cloud Computing Synopsis and Recommendations) j. US (NIST - Cloud Computing Technology Roadmap Volume 1) Page 24 of 91

25 Work Item 6: Mapping & Evaluation of existing standards & certifications relevant to Cloud Computing While there may be a few areas where standards may not exist, standardization and certification actions for cloud computing are already taking place. The scope of the Agency under this work item includes: 1. Comprehensively identify all the existing published standards & certification schemes from the standards setting / certification organizations relevant to cloud service providers / cloud auditors 2. Map the existing standards & certification schemes to the domains / sub-domains / critical areas (for example, security, interoperability, data protection, ) that they address 3. Framework to evaluate the standards & certification schemes for suitability for adoption for GI Cloud 4. Evaluation of the standards & certification schemes using the developed framework to assess the suitability for GI Cloud 5. Tool that allows customers to choose a set of relevant security objectives and that refers to the certification schemes that contain controls and measures to meet the security objectives. 6. Identify the gaps where standards do not exist or are currently evolving and hence identifying the need for developing specifications Since the underlying standards are ever evolving, the map of existing published standards & certification schemes needs to be updated / revised on a semi-annual (or periodic) basis to be in tune with the new standards. Indicative References that may be studied for better understanding of the work item: i. Australia a. Draft Report on CSP Certification Requirements for the Australian Government ii. UK Page 25 of 91

26 a. Cloud Security Guidance: Standards and Definitions iii. EU a. Auditing Security Measures An Overview of Schemes for Auditing Security Measures b. Cloud Certification Schemes Metaframework c. Certification Schemes Expert Group d. Certification in the EU Cloud Strategy e. ENISA Certification Tool Manual f. Cloud Standards Coordination - Final Report iv. US a. NIST Cloud Computing Standards Roadmap v. Standards from Standards Developing Organizations and Industry Bodies such as: a. Cloud Computing Interoperability Forum (CCIF) b. Cloud Industry Forum (CIF) c. Cloud Standards Customer Council (CCSC) d. Cloud Security Alliance (CSA) e. Distributed Management Task Force (DMTF) f. European Network and Information Security Agency (ENISA) g. European Telecommunications Standards Institute (ETSI) h. Global Inter-cloud Technology Forum (GICTF) i. Health Insurance Portability and Accountability Act (HIPAA) j. Institute of Electrical and Electronics Engineers (IEEE) k. International Organization for Standardization (ISO) l. International Telecommunications Union (ITU) m. National Institute of Standards and Technology (NIST) n. Object Management Group (OMG) o. Open Cloud Connect p. Open Cloud Consortium (OCC) q. Open Grid Forum (OGF) r. Organization for the Advancement of Structured Information Standards (OASIS) Page 26 of 91

27 s. Payment Card Industry Data Security Standard (PCI DSS) t. Storage Networking Industry Association (SNIA) u. Telemanagement Forum (TM Forum) v. The Open Group Work Item 7: Identify Standards & Develop Specifications (where required) against the domain areas identified above (for each of the risk / business impact levels & different cloud service offerings) With respect to accreditation of the offerings of cloud service providers / SaaS providers, it is envisaged that for the majority of the domains / sub-domains / critical areas (for example, security, interoperability, data protection, ), the existing & widely prevalent standards will be adopted. For domains, where such standards do not exist or are still evolving or are proprietary in nature or conflicting in nature, specifications (functional & non-functional requirements) may be developed to address such gaps. In case a standard addresses majority of the sub-areas within a domain and not necessarily all the sub-areas that make up the domain, incremental specifications may be developed to address the gaps. In case substitutable standards exist (i.e., either of the standard may serve the objective) for the same domain, both have to be identified. Also, the exercise needs to identify sector specific (personal identifiable information, SOC, ) standards where available. The scope of the Agency under this work item includes: 1. Background note providing a summary of the consultations with the industry and expert group, a key constituent of this work item. 2. Background note with the analysis of the different standards available for the same domain and the rationale for recommending a particular standard. 3. Recommend standards mapped to the different risk & security levels and the different cloud service offerings 4. Develop specifications where there are no standards or the existing standards may not be suit the risk & security requirements Page 27 of 91

28 5. End-user guide for easier understanding of the recommended standards for the different risk & security levels Since the underlying standards are ever evolving, the recommended standards & developed specifications need to be revised on a semi-annual (or periodical) basis to be in tune with the new standards. Work Item 8: Develop Frameworks, Templates & Guidelines for Standardization of the different Cloud Service Offerings There will be areas identified under the Work Item 5 (e.g., details of the offerings of the cloud service providers, commercial details,..) where standards are not applicable but have to addressed through frameworks, model templates and guidelines. The primary objectives of such frameworks, templates and guidelines is to enable comparison of the cloud service offerings from the different cloud service providers and ensure fair SLAs & contract terms that protect the interests of the government departments. The scope of the Agency under this work item includes developing the frameworks, templates and guidelines. Some of the areas where such frameworks, templates and guidelines are required include: 1. Capturing the various attributes of service offerings of the cloud service providers identified under Work Item 1 including the commercial details 2. Service Level Objectives 3. Service Level Agreements 4. Master Service Agreements 5. Model Request for Proposals for procurement of various cloud services 6. Along with the frameworks, templates and guidelines; end-user guides for easier understanding of the artifacts needs to be prepared Indicative References that may be studied for better understanding of the work item: i. Service Standardization Page 28 of 91

29 a. UK (Standardization of Cloud Service Definitions) ii. RFP a. US (Statement of Objectives for Cloud Services Migration - Template) b. US (Statement of Objectives for IAAS Blanket Purchase Agreement) c. US (IAAS BPA) iii. SLA a. EU (SLA Expert Group) b. EU (CSCC - Practical Guide to Cloud Service Agreements) c. EU (Cloud Service Level Agreement Standardization Guidelines) iv. Contract a. Australia (Better Practice Checklist Privacy and Cloud Computing for Australian Government Agencies) b. UK (Supplier Terms and Conditions for G-Cloud Services) c. EU (Cloud Contracts Expert Group) d. EU (Code of Conduct Expert Group) e. EU (Review of European Union Data Protection Directive) f. US (GSA IaaS Blanket Purchasing Agreement Ordering Guide) g. CSA (Privacy Level Agreement Outline for Sale of Cloud Services) h. CSA (Privacy Level Agreement) v. Miscellaneous a. US (Continuous Monitoring Strategy and Guide) Work Item 9: End-user Guides / Guidelines to assist the end user departments in evaluating and migrating to cloud services In addition the end user guides mentioned in the respective work items, there will be requirement of composite end-user guides to assist the users in easier understanding & navigating the various standards, frameworks, guidelines & templates in their approach towards adoption of cloud services. Page 29 of 91

30 The scope of the Agency under this work item includes developing the end user guides / guidelines. Some of indicative guides include: 1. Guide to implementing cloud services overview & steps involved in the lifecycle: identifying the opportunity, evaluating the applications, identifying the right deployment model, evaluation & selection of a cloud service provider, contracting, planning for migration, managing the migration and monitoring the implementation 2. Framework for evaluating the suitability of applications / services / projects to leverage Cloud Services (IaaS, PaaS & SaaS) 3. Selecting a Cloud Service (IaaS, PaaS, DRaaS, ) and appropriate Cloud Deployment Model 4. Considerations, Checklists & Best Practices with respect to Standards, Security, Transition, SLA, Financial, Legal aspects, when migrating to cloud based services (IaaS, PaaS and SaaS) 5. Defining scope of services clearly delineating the responsibilities of the cloud service providers, implementation agencies and departments in the entire implementation 6. Capacity Sizing Guidelines for estimating compute, storage, and network requirements 7. Guidelines for selection (e.g. evaluation criteria) of the right cloud service provider for the required services / application 8. Application development / migration guidelines for deploying applications on cloud environments 9. Guidelines for cloud platform based service development 10. Assessing the cloud readiness of an existing application 11. Migration roadmap and plan for cloud enablement and productisation of an existing application 12. Resource Management Guide providing references to applicable Laws, Regulations, Standards and Guides applicable when leveraging cloud services Page 30 of 91

31 Indicative References that may be studied for better understanding of the work item: i. Australia a. A Guide to Implementing Cloud Services A Better Practice Guide b. Resource Management Guide No. 406 Australian Government Cloud Computing Strategy ii. iii. iv. UK EU US a. Cloud Security Guidance: Risk Management b. Cloud Security Guidance: Separation a. Moving to the Cloud A White Paper b. Practical Guide to Cloud Computing Version 1.0 a. Guide to NIST Information Security Documents Work Item 10: Capacity Building Curriculum, Content & Artifacts There is a key need to create the awareness of these initiatives in the user departments, showcase the advantages of migrating to cloud services and ways to address the potential risks for faster adoption of the policy. It is expected that there will be a need for a variety of training programs, at a minimum, that include: 1. Awareness Workshops to enhance the awareness of participants with respect to leveraging cloud services in their IT initiatives and to increase the visibility of Cloud by showcasing Best Practices & Guidelines and Model RFPs / MSAs day dedicated Capacity Building Programs covering Basics of cloud technology, policy, guidelines and Cloud service offerings etc. to build user capacities in evaluating & procuring cloud services day dedicated Technical Capacity Building Programs on the Technical Architecture, Standards,.. for technical audience Page 31 of 91

32 4. Cloud related sessions conducted under the NeGD capacity building programs The scope of the Agency under this work item includes: 1. Design the right kind of training programs 2. Design the curriculum for each of the recommended training programs 3. Design the content & develop the necessary training artifacts in the form of presentation decks, reading material, e-learning modules and certification courses 4. Develop case studies of projects successfully leveraging cloud services to showcase adoption of cloud solutions 5. Conduct Training of Trainers (ToT) to validate the designed curriculum, content and artifacts. The infrastructure and premises required for conducting the training will be provided by DeitY. The trainings will be conducted in NCR region for at least 5 batches (minimum batch size of 15) for each of the designed training programs. However, implementation of the Capacity Building Programs is out-of-scope for the Agency. Work Item 11: Accreditation / De-Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of Cloud Service Providers Accreditation of the offerings of Cloud Service Providers as per the identified standards eliminates the necessity of the technical scrutiny of the cloud services by multiple interested departments. This provides assurance of the offerings of cloud service providers and facilitates easier adoption of the cloud services by the user departments. The scope of the Agency under this work item includes: 1. Design an accreditation / De-accreditation strategy defining the role of auditors, cloud service providers and DeitY in accreditation value chain 2. Develop necessary guidelines, processes & templates for the accreditation (initial as well as maintaining & re-accreditation) of the offerings of the cloud services providers that will be adopted by the cloud service providers to get their offerings audited 3. Develop the guidelines and reporting framework for continuous monitoring of operations to ensure compliance Page 32 of 91

33 4. Develop the end-user guides on the accreditation process and prepare the Accreditation Handbooks for various service offerings, Guide for Cloud Service Providers for getting accredited, maintaining the accreditation and getting reaccredited at periodic intervals) among other relevant manuals Indicative References that may be studied for better understanding of the work item: i. Models adopted for UK (G-Cloud), US (FedRAMP) and Singapore (MTCS) Work Item 12: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the Cloud Auditors In order to be accredited by DeitY, the CSPs need to get their services audited by an accredited / empaneled Auditor. The scope of the Agency under this work item includes: 1. Design an accreditation / empanelment strategy for the Cloud auditors 2. Develop necessary guidelines, processes, templates and RFPs for the accreditation / empanelment (initial as well as maintaining accreditation, re-accreditation and deaccreditation) of the Cloud Auditors 3. Develop the end-user guides on the accreditation / empanelment process and prepare the Cloud Auditor Accreditation Handbook, Guide for Cloud Auditors for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals 4. Develop handbook for Cloud Auditors to certify the Cloud Service Providers Indicative References that may be studied for better understanding of the work item: i. Models adopted for UK (G-Cloud), US (FedRAMP) and Singapore (MTCS) Page 33 of 91

34 Work Item 13: Guidelines for providing PaaS & SaaS services (egov AppStore) The e-gov App Store ( is a national level common repository of customizable and configurable applications, components and web services that can be reused by various government agencies/departments at Centre and States, which will include the setting up of a common platform to host and run applications (developed by government agencies or private players) at National Clouds. The scope of the Agency under this work item includes: 1. Define certification guidelines and underlying processes with respect to continuous certification of applications from private vendors and government departments. 2. Guidelines and standards on pricing models for applications available on the AppStore 3. Preparation of guidelines for audit of applications 4. Monitoring mechanism/governance framework for the compliance with GI Cloud standards, guidelines, norms and policies 5. Design the underlying procurement mechanisms & contracts or MoAs for the user departments to seamlessly procure applications from the AppStore Work Item 14: Accreditation Strategy, Guidelines, Processes & Templates for Accreditation of the Offerings of SaaS Providers Accreditation of the offerings of SaaS Providers as per the identified standards eliminates the necessity of the technical scrutiny of the SaaS offerings by multiple interested departments. This provides assurance of the offerings of SaaS providers and facilitates easier adoption of the SaaS by the user departments. The scope of the Agency under this work item includes: 1. Design an accreditation strategy defining the role of auditors, SaaS providers and DeitY in accreditation value chain Page 34 of 91

35 2. Develop necessary guidelines, processes & templates for the accreditation (initial as well as maintaining & re-accreditation) of the offerings of the SaaS providers that will be adopted by the SaaS providers to get their offerings audited 3. Develop the guidelines and reporting framework for continuous monitoring of operations to ensure compliance 4. Develop the end-user guides on the accreditation process and prepare the SaaS Accreditation Handbook, Guide for SaaS Providers for getting accredited, maintaining the accreditation and getting re-accredited at periodic intervals) among other relevant manuals Work Item 15: Accreditation / Empanelment Strategy, Guidelines, Processes & Templates for Accreditation / Empanelment of the SaaS Auditors In order to be accredited by DeitY, the SaaS providers need to get their services audited by an accredited / empaneled Auditor. The scope of the Agency under this work item includes: 1. Design an accreditation / empanelment strategy for the SaaS auditors 2. Develop necessary guidelines, processes, templates and RFPs for the accreditation / empanelment (initial as well as maintaining accreditation, re-accreditation and deaccreditation) of the SaaS auditors 3. Develop the end-user guides on the accreditation / empanelment process and prepare the SaaS Auditor Accreditation / Empanelment Handbook, Guide for SaaS Auditors for getting accredited, maintaining the accreditation and getting reaccredited at periodic intervals) among other relevant manuals 4. Develop handbook for SaaS Auditors to certify the SaaS Providers Page 35 of 91

36 Work Item 16: Procurement Guidelines With the adoption of cloud services, the procurement model has to evolve from a primarily Capex to an Opex or Pay-per-use model. The scope of the Agency under this work item includes: 1. Identify the areas that need legal / policy level interventions 2. Formulate recommendations on new procurement guidelines, amendments to procurement laws for procurement of services available on the GI Cloud Services Directory and egov AppStore. Develop end-user guides for easier understanding of the deliverables needs to be prepared. Miscellaneous Activities Apart from the above work items, the Agency is also responsible for the below set of activities: 1. Support DeitY and End User Departments a. Be available on phone, and video conference to support the stakeholders (e.g., departments, cloud service providers, SaaS providers, OEMs, System Integrators,..) queries / requests on developed standards, specifications, frameworks, templates and guidelines. b. Create and continuously update FAQ on the portal c. Seek feedback from the end-user departments on the developed artifacts and where required refine or develop additional frameworks / guidelines / user guides based on the inputs d. Support DeitY in preparation of draft response to various queries received from other government/private organizations, RTI queries etc. on the published standards, guidelines, frameworks, etc. e. Continuously monitor local and international trends on cloud services and integrate / leverage any learning Page 36 of 91

37 6. Deliverable Preparation Methodology Approach Note and Deliverable Template At the onset of each work item, the team should provide an approach note and templates of proposed deliverables for the respective work item. The approach note should at a minimum detail the secondary research and industry consultations proposed to be carried out. The team will meet with DeitY to review the approach and deliverable templates, tailored to accommodate the needs of the specific work item, and agree on the scope, approach, format, and content of each of the deliverables under that work item. The agreements made during this meeting will be captured in a Deliverable Review Document (DRD) for each deliverable. A deliverable evaluation scorecard will be used to measure the deliverable (e.g., completeness, consistency, quality, and presentation) against the acceptance criteria defined in the DRD. As project deliverables are submitted, DeitY will review them against the agreed upon DRD. When comments are provided, the team will address the comments and/or revise the deliverable and resubmit it within five days. The agreement on the scope of the deliverables at the beginning of each phase will reduce the need for multiple rounds of revisions and allow timely acceptance. Secondary Research The team is expected to study the available models, standards, guidelines adopted in different countries (EU, US, UK, Singapore, Australia,...), relevant international organizations including standard development organizations (CSA, NIST,..) during the preparation of the deliverables under the different work items. In case any content is used from the existing artifacts, complete references (at the appropriate place) of the same shall be added within the deliverable. All the external resources researched to prepare the deliverable needs to be tagged and uploaded to the project website. Page 37 of 91

38 Consultations with Industry & Industry Groups The team is also expected to consult with various experts from the Academia, Research Agencies, Industry Groups (e.g., CCICI, CSA, DSCI, ) & industry (e.g., cloud service providers, system integrators, OEMs, Cloud Consultants,..) to get inputs on the deliverables. The consultations along with the list of the stakeholders consulted and summary of discussions, inputs, comments, feedback received needs to be comprehensively brought out into the background note accompanying the deliverables. The comments / feedback / inputs at each stage of the approval process should also be captured in the background note. Example Case Studies In case a framework is created, where applicable, the team shall detail the example case studies / scenarios / use cases within the respective frameworks and / or end-user guides to demonstrate the use of the framework. The user guides / guidelines should be created from the end-user perspective. Document Revision History Each of the deliverables shall capture the document history with the initiating agency (indicating author, reviewer and approver within the organization), expert group reviews and final approvals. The editable versions of the deliverables have to be submitted to DeitY and the same including the interim deliverables will become the intellectual property of the DeitY. Where required, the deliverables may need to be revised on a semi-annual (or periodic) basis. Version Management The team shall maintain all project documents including the summary of discussions, meeting minutes, multiple revisions/versions of the deliverables in a version control tool that will be provided by DeitY. Project Management The team shall keep the project plan and all related artifacts up-to-date during the course of the project in a project management tool that will be provided by DeitY. Page 38 of 91