Whenever appropriate and prior to any purchase, quotation or tender being sought, it is extremely important that a clear and comprehensive list of requirements is compiled, agreed and set. These can take the form of a full Technical Specification or an Output Based Specification (OBS). Put simply an OBS describes (in every-day language) what business goal(s) the proposed procurement aims to achieve. Each element should be checked to ensure that the stated need is clearly defined, that it matches the actual requirement and that it is neither under nor over specified. Care should also be taken to ensure that wording of the stated requirement is not unnecessarily restrictive in the sense that it would or could be construed to have been drafted in such a way so as to limit the number of potential suppliers. (Where an OBS is being used, do not be tempted into prescribing the way in which the business goal has to be achieved as this is likely to reduce both the number of potential suppliers and, sometimes more importantly, the quality of innovative solutions).

Relevant environmental and social requirements may be specified but must be directly relevant to the goods and or services being procured. They should be set out as part of the evaluation criteria in the Tender Advert and defined sufficiently precisely within the Tender Documentation to allow bidders to understand the requirement and to allow the award of contract. Production process standards and eco label criteria can be referenced but alternatives which demonstrate equivalence must be considered.

Where certification to relevant accreditation bodies is being requested, these certificates should be checked to ensure that they are valid and relevant to the contract during the supplier due diligence phase.

Information Assurance (IA)

Where the requirement is likely to involve handling, processing or storing RoS data, consideration should be given to protect such data and applicable goods and service covered by IA schemes should be sourced and purchased from approved suppliers.

’’Information is fundamental to the business of government. Effective IA is core to ensuring that this asset is safeguarded appropriately’’.

The continued growth throughout government in the use of ICT systems, all linked together, carries with it increased vulnerability. In addition these ICT systems are under threat of attack from foreign intelligence services, criminal gangs, and even individuals inside the organisation.

Protection against such threats and vulnerabilities is essential.

Across the public sector suitable precautions should be taken to safeguard its information. Therefore every ICT, or information related, system or service must contain Information Assurance (IA) requirements. Indeed IA extends beyond ICT contracts, since for example even in construction projects there is likely to be an ICT system used in designing, managing or communicating about the project, and this will have IA requirements.

What are IA Assured Products and Services?

Assurance is the confidence that may be held in the security provided by a system or product. There are a broad range of products and services from firewalls, access control products, operating systems through to data erasure products that have been technically assessed and certified by NCSC, or their partners around the world, and offer the end users ready made assurance’’.

Further guidance is available from the NCSC website.

Browser not supported